Rethinking the Data Encryption Approach

It is obvious that we must radically rethink our approach to data encryption.

Software only solutions, when it comes to protecting data-at-rest and authentication, is no longer state-of-the-art. Hardware based solutions, available from all PC OEMs for enterprise class PCs appears to be a securer and more streamlined approach. Native hardware based encryption runs with without a performance penalty, as is inherent to all software based encryption approaches, it also eliminates any hacking possibilty because the encryption key is never exposed, even to the OS.

Temporary data (encryption keys, passwords etc.) should no longer be stored in DRAM. These keys and certificates need to be protected in hardware. The recent DRAM attack as presented by the Princeton folks is a strong reminder that your keys are not safe with only software solution. As Seagate commented, there is theoretically any number of possibilities to lift temporary data from DRAM in software only solutions to protecting data-at-rest.

The best and really only way preventing lifting of sensitive temporary data from DRAM is simply to try and circumvent storing sensitive data in DRAM

The Seagate MOMENTUS FDE.2 native hard drive encryption approach is a simple one. This solution is available from Dell (Latitude series of notebooks), Lenovo and also from NEC Europe.

Keep the encryption key in a safe partition of the hard drive and do not make it available for the system to see.

The Seagate MOMENTUS FDE.2 does just that. It works as follows:

Users must authenticate themselves directly to the drive using a password before the drive will unlock and allow the normal OS to boot. This does not use either the BIOS or the OS to perform the authentication.

The Seagate MOMENTUS FDE.2 drive supports more secure authentication approach where the authentication to the drive is done using an alternate pre-boot OS held in a protected area of the drive, and also support new ATA security commands for Trusted Send and Trusted Receive to protect the password.

If the authentication is successful, as determined by the Seagate MOMENTUS FDE.2 drive, then the drive is unlocked and the system is allowed to boot normally.

With this solution, not only is the authentication done before any foreign software is allowed to load, the encryption keys are never exposed outside the protected hardware of the drive itself, including the user area of the drive or in the OS, which is what these attacks are exploiting.