Your laptop data is not safe. So fix it.
- — 20 January, 2009 08:55
TPM-enabled full disk encryption, especially hardware-based implementations of it, provides one other key benefit to enterprises: data erasure upon laptop decommissioning or repurposing. A common bugaboo in the enterprise is the accidental disclosure of data when seemingly worthless outdated laptops are discarded or sold, or transferred to another employee. Erasing sensitive information in such situations is not trivial, and even removing and physically mangling a laptop's hard drive is no guarantee against disclosure. However, because TPM has absolute control over the encryption keys -- remember, half of the key information is stored with the TPM itself -- you can simply tell TPM to forget its keys, and the hard drive is instantly reformatted and effectively rendered nonrecoverable. Disk sectors aren't zeroed, but no computationally feasible method exists today to decrypt the residue.
A great many enterprise-class laptops manufactured in the last two to three years shipped with embedded TPM chips; Apple's Macs are a key exception, as none since 2006 include a TPM chip. But the TPM chips must be explicitly enabled to use them as the authentication mechanism for encryption.
If your laptops have a TPM chip, don't try enabling it without carefully following the vendor's instructions -- otherwise, you could accidentally wipe out the laptop's hard drive. Before enabling the TPM chip in a laptop, you must first take ownership of it, a process that establishes user and management-level passwords and generates the initial set of encryption keys. The management password lets IT administration monitor the inventory of TPM devices, recover lost user passwords, and keep track of usage.
A TPM works with the laptop's resident operating system to encrypt either the entire hard drive or most of it, depending on the OS encryption implementation. (Microsoft's BitLocker, for example, requires a small, unencrypted initial-boot partition). Alternatively, a TPM can interoperate with encryption-enabled hard drives to perform encryption entirely outside of, and transparent to, the operating system.
The TPM technology isn't perfect, but it provides very solid protection in the most common incident, where a laptop is lost or stolen and the user has not left it logged in. If the laptop is powered off, TPM protection is absolute. Most implementations use 256-bit AES encryption, which is considered uncrackable for the foreseeable future. Powering up the device requires entering pre-boot credentials in the form of a password, a PIN, a smartcard, biometric data, a one-time-password token, or any combination of these. If the lost laptop is powered on (but not logged in), or just powered off, an attacker would have to use extraordinary procedures to recover the encryption keys from live memory.
However, if a lost device is powered up and logged in, a TPM provides zero protection. An interloper can simply dump the data off the hard drive in the clear using ordinary file copies. Thus, it's essential that TPM-protected systems have noncircumventable log-in timeouts using administrator-protected settings.
To achieve the ultimate in full disk encryption protection requires hardware-enabled encryption on board the hard drive. Drive-based encryption closes all of TPM's loopholes, since the encryption key is no longer stored in OS-accessible memory. Hardware-based full disk encryption also eliminates the performance penalty incurred by software-based full disk encryption, although with today's fast, processors, that software encryption overhead is not noticeable to most users.