- slide 1 of 3
Disk Encryption Theory
What disk encryption attempts to do can be summarized in three parts: the stored data on the disk should remain confidential, while providing quick and efficient retrieval and at the same time not wasting disk space. Approaches tend to be in two directions: disk encryption through hardware, and disk encryption through software.
- slide 2 of 3
Hardware encryption can work in a number of ways. While it can require some sort of password to access the hard disk and decrypt the data, this brings in many of the weaknesses of software encryption and is generally considered unsafe. What many hardware encryption suites require is some sort of physical key to be plugged into the system for the hard disk to be decrypted properly. Some hardware encryption functions as a small chip that can either go on the motherboard itself, or wired directly into the data path between the motherboard and the hard disk. Typically, this is full disk or whole disk encryption, meaning that every bit of data on the disk is encrypted.
Theoretically speaking, you can get far better results with data encryption done through hardware than with software. While software can be picked apart one line of code at a time, it's much easier to make any encrypted information transparent if it's done entirely on the hard disk level, the most basic level that there can be. Arguably, hardware encryption that is fully integrated with the machine is also faster than pure software encryption.
This also means that someone can't just pop out your hard drive and hook it up to their own, non-encrypted OS, as is the case with software encryption. Physical access may be total access, but you can certainly put a few roadblocks in the way.
It's hard to say much on the subject of hardware encryption. Why? Because most companies keep any remotely explicit information on their systems as proprietary secrets. This makes it difficult to really judge how effective any of these systems are, and to weigh in on what data encryption hardware you should purchase.
- slide 3 of 3
More common is software encryption. While this is generally considered less secure, it does not require specialized hardware to do the job, and can be done quickly and cheaply—often for free, and on the fly, hence “on the fly encryption”. So, software encryption is far more flexible than hardware encryption, making it more suited to portable devices like laptops and flash drives.
Most software encryption programs work by requiring a password to either encrypt or decrypt data on the hard disk, using the given program.
Software may encrypt either individual files, folders, or create encrypted volumes. While software encryption can come close to duplicating whole disk encryption, it still cannot encrypt certain functions, such as the master boot log, a serious vulnerability. Another major weakness of software encryption is that it doesn't typically encrypt temporary files, which may also have sensitive information on them.
There are many features that may be available on encryption software. One of the most useful of these is the ability to create “hidden volumes”, which are basically password-protected volumes within the main container volume. This allows for plausible deniability. What one can do is create nests of encrypted volumes, so that while a user may be forced to give up the initial password, without explicit knowledge of the other encrypted volumes a potential hacker can't know that there is more data on the device
Most operating systems have some sort of encryption software built in, which can generally get a basic level of encryption done and protect against basic attacks. For more advanced protection, you might need to go hunting for something that suits your needs, and there is a huge variety to select from, from opensource freeware like GNU Privacy Guard and True Crypt to proprietary software like CheckPoint.