A Year in the life of FDE

safe

Right from the outset, when I first started UKtech, I knew I would have to protect my customers data.

You do protect your customer’s information, don’t you?

It’s a familiar scenario – your laptop is stolen from car/train/hotel/conference etc and all customer data compromised.

Well not for me!

To ensure that no thief could gain access to my company data, I decided to opt for a military grade solution – right from the start – before there was even any data to steal!

Enter the Dragon….or Full Disk Encryption (FDE for short)

Many mobile (and office) workers are faced with the same dilemma, some, thankfully, are supported by corporate IT departments who secure all their data on their behalf. Other small business have to struggle with concepts and practices that require in-depth computer security knowledge – so they encrypt at the document level, anything they think may pose a risk.

Operating systems however, store huge amounts of unencrypted information available to anyone who wants to look.

Then there is always the possibility that someone will leave a document unencrypted, when they have finished working with it…

I decided to remove chance from the equation and move to FDE – which basically encrypts everything – including the operating system, on the selected hard disk. At first I was worried about a number of issues, the primary one being hard disk imaging.

Let me explain, hard disk ‘images’ are files which contain a snapshot of everything contained on a hard disk, which I use to recover from hard disk failures: a hard disk dies – no problem, I just replace it with a new disk, apply the image, and hey presto I have a working machine again.

The issue here, is that imaging software does not store ’empty space’, so an image of a 200GB hard disk only contains the actual data, and hence does not take long to complete. When you encrypt the whole disk, the imaging software sees the encrypted space as data – and copies it – so you wind up with a 200GB image file. And the imaging process takes two days. (Well, a very long time at least!)

The solution I have adopted is to image the disks before applying FDE – as they contain only the bare operating system and programs – there is no customer data to protect. So I get the best of both worlds – the imaging is really fast and as soon as I need to deploy the machine, I simply run FDE on the disks after imaging.

Job done!

Initial stories about FDE disks running really slowly have proven unfounded – on the Sony Vaio laptops I use, boot speed is almost indistinguishable from new. I have found no downsides at all – years later on.

The only thing I am conscious of, is the backup regime – on the encrypted devices the backup is also encrypted and runs much more frequently than on an office based desktop. On a laptop, if your FDE disk dies, you lose the lot and can only recover from your last backup.

Did I mention that another win of using FDE is disk disposal – my disks no longer need to be scrubbed before disposal – as without the encryption keys, they are already scrambled beyond recovery!

The software I use for FDE and all encryption duties is called Truecrypt. This has almost become the de-facto standard in disk encryption, having been developed over a very long time and consistently improved and updated. I have to hand it to the developers, Truecrypt has never had anything added that is of no use: there are no bells and whistles that are not directly related to the base functionality – brilliant!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.