FlagStone/Eclypt Hard Drive Encryption Explained
All data held on a FlagStone/Eclypt hard drive is encrypted automatically, regardless of its location within the drive.
Good data-at-rest protection has multiple layers of defence.
- Tamper evident outer casing.
- Tamper respondent inner layer.
- The key is securely held separately from the encryption itself and is not on the storage media, so it cannot be read from the computer or network.
- Impossible to bypass the in-line encryption.
- Internal hard drive not accessible prior to strong, yet easy to remember, authentication.
- Internal hard drive is 100% encrypted
As the encryption is done by immutable dedicated hardware components, Flagstone drives are independent of the operating system, preventing the computer processor being slowed down.
Encryption hardware is also future proofed so there is no need to update your encryption when: a new service pack is released or you move to a new operating system.
Other Hardware Encryption
Many alternative hardware encryption devices minimise their protection to save space, thus the hard drive and data may not be as secure as you think.
The hardware encryption programme store can be modified to suit different manufacturers and attackers.
As the encryption is not in-line, the encryption can be bypassed. This is by design as to allow the drives components to report on their condition. Thus there is potential for the data to be obtained without authentication.
Software Encryption Schema
showing its relationship with (Microsoft) Unsupported Code
|
1. Functions run unaffected between programs and the processor without encryption |
2. Functions between programs and the processor are intercepted by the software, thus encrypting the data |
3. Functions previously intercepted by encryption software, are redirected as a result of a Microsoft update. Thus data is no longer encrypted and encrypted data is not decrypted. |
The original quick fix to prevent data being read was software encryption. As with any software, multiple attacks are possible including: network key discovery spyware, spear phishing and viruses.
Software encryption programmes must be compatible with the specific operating system, service pack and patches.
The best software encryption places its functionality nearest to the computers processor, to attempt to ensure that it is at the bottom of the call stack and unlikely to be bypassed. However any change to Microsoft's operating system (known as unsupported code for good reason) could circumvent the encryption software - leaving the data vulnerable or preventing previously encrypted data being converted back to clear text. Software encryption users need to thoroughly test each change to the operating system (Microsoft has released 19 security updates to Vista in the last year) to ensure that the encryption is still working correctly. Furthermore when new programmes are added to a computer protected by software encryption the user needs to ensure that they are not using shared memory that would prevent either of these programmes operating correctly.
In addition to the cost of annual rekeying (securing the key is difficult as it is on the computers processor, so the best defence is to change it often), software encryption also requires updates elevating its lifetime cost.
Printer-friendly version
Copyright © 2008 Stonewood Electronics Ltd |
All rights reserved. All trademarks acknowledged |
Privacy Policy |
Site Map