Full Disk Encryption
Full disk encryption software uses a symmetrical encryption algorithm to encrypt every block on a hard disk or other persistent storage media (e.g., flash drives, etc.). The idea is that even if the storage device is lost or stolen, none of the contents of the filesystem will be compromised.
A key consideration with full disk encryption is generating and securing the encryption key. Normally a single, long, pseudo-random encryption key is used to encrypt the storage device. User keys are used to encrypt/decrypt the disk encryption key. User keys, in turn, may be:
- Derived from a user's password, entered manually.
- Retrieved from a physical device, such as a TPM module on a PC or a smart card inserted by the user.
The most common approach to key management on personal computers (i.e., not servers where system startup typically must proceed unattended) is to prompt the user to enter a password prior to starting the PC's operating system. The password decrypts the user's key, which in turn decrypts the data key that encrypts/decrypts hard drive contents.
Where pre-boot password authentication is used, the pre-boot password may be synchronized with the user's primary network login password -- usually an Active Directory password. This reduces the number of distinct passwords users must remember and type.
If a user forgets his pre-boot password, he must go through an unlock process. Typically the full disk encryption software presents the user with a challenge string, which the user communicates to an IT support person with access to a key recovery application. The support person enters the challenge string and reads back a response, which the user must type. A correct response will unlock the user's PC, at which time the user should choose a new password (and remember it this time!).
Hitachi ID Password Manager enables users whose PC is protected with a disk encryption software and who have forgotten the password they type to unlock their computer to reactivate their PC.
The process for key recovery is as follows:
- The user selects the "unlock" user interface at the boot prompt of the disk encryption software. Note that this is available before the operating system boots.
- The user calls the help desk phone number and selects the "PC boot problem" menu option. This is configured on the existing help desk telephone system.
- The user's phone call is connected to Hitachi ID Telephone Password Manager - the self-service telephone user interface component of Password Manager.
- The user identifies himself. There are several identification options, including touch-tone input of a numeric identifier such as the user's employee number or speech-to-text entry of the user's network login ID.
- The user authenticates himself. There are several authentication options, including touch-tone input of answers to security questions (e.g., driver's license number, date of birth, social security number, etc.) or biometric voice print verification.
- The user then acts as a relay between the challenge strings displayed by his full disk encryption software and the response strings which Telephone Password Manager reads back to the user. The user keys strings he sees on the screen into the phone and keys strings he hears on the phone into his PC.