As much as you might argue that the notebook loss by the Department of Veterans Affairs and similar incidents were due to bad practice, thats why we sometimes recommend a belt-and-suspenders approach.
Now Seagate has announced a hard drive with integrated encryption capabilities named DriveTrust. Its an interesting development and certainly not a bad thing, although what it addresses is way down the list of serious security problems faced by users and enterprises.
At minimum, the drive can force the user to enter a password at boot time, before any software has been loaded off of it, in order to proceed. Additional support from Seagate and a software development kit for ISVs allow integration with biometrics and corporate authentication systems. Since the notebook drive market is the initial target for Seagate it would seem that biometrics are the obvious addition.
Both notebook and hard disk vendors need this sort of advance. The hard disk market is a brutal commoditized market and features like hardware encryption could attract notebook OEM contracts for high-end models. The notebook vendors are all starting to push integrated fingerprint readers, so a secure hard disk is right on-theme, especially if they integrate the two right out of the box.
And dont just assume this is going to happen; many of those integrated fingerprint readers come with no software for authenticating against a network directory or being managed centrally. This makes them almost useless in an enterprise environment and, in some ways, dangerous. The point is that theres a lot more to notebook security than just plopping in "security hardware."
Details are still somewhat lacking, but Seagate seems to be off to a good start with its products, which rely on standard protocols such as AES, triple-DES, RSA, and SHA-1. As Bruce Schneier pointed out in his little piece on the drives, its unclear how Seagate will handle the important issue of key management, but there are good ways as well as bad for it to follow.
If Seagate does a good job, the data on the drive should be highly secure. Perhaps 007 could bring such a drive back to the lab and Q could decrypt it by remounting the platters in an unprotected drive and then cracking the encryption, but such activities are beyond the capabilities of almost all attackers, even very smart ones.
According to Seagate, information stored on DriveTrust drives can be "instantly erased." Presumably this means destroying the keys necessary to decrypt it, not the same thing as erasing the data if you ask me. But it is another strong point.
The company points out the benefits relative to software encryption, mainly in terms of performance. Software encryption will consume CPU cycles, and perhaps memory, that the Seagate drive will not. "When you compare it [DriveTrust] to other software-based protection systems, the big disadvantage with the latter is that youre still using up a lot more CPU," Scott Shimomura, senior product marketing manager at Seagate, told ExtremeTech. "By running in firmware on dedicated chip, the performance impact using DriveTrust is virtually nonexistent." But the truth of this comparison may be more complicated than that.
The higher-end Enterprise and Ultimate editions of Windows Vista will contain software drive encryption called BitLocker. DriveTrust encrypts the entire drive; BitLocker requires that the drive be partitioned into system and data volumes (generally a good practice anyway) and only the system volume is encrypted, although the older Windows EFS (Encrypted File System) can be used on data volumes. Microsoft has demonstrated future versions of BitLocker that can encrypt whole drives.
BitLocker probably also has an advantage in flexibility; if problem fixes are necessary or optimizations developed, they are easier to deploy to a part of the operating system than to firmware on notebooks. Its also manageable through standard Windows management facilities like WMI, and integrates with Active Directory. In an era where CPUs arent usually very taxed, BitLocker may be a good investment in CPU time.
Or maybe not. Drive encryption is a new development, in real market terms. But no matter which approach wins in the market, it should improve notebook security in an important way.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer