Your laptop data is not safe. So fix it.

Follow this encryption-based data-protection plan, which can safeguard your most at-risk PCs

But the best plan B to TPM-enabled full disk encryption isn't any of these partial disk methods. The best plan is software-only full disk encryption, in which either the operating system or a third-party program performs the same encryption as with TPM but uses another method to store the encryption keys, such as a thumb drive or a smart card.

The good news is that virtually all-TPM full disk encryption suppliers' offerings, including BitLocker, can operate in this software-only mode, which relies on a removable hardware token so that you can use this approach for your non-TPM devices while having a consistent encryption method to manage across all your laptops.

It's true that software-based full disk encryption is less secure than if you have a TPM-equipped laptop: The entire drive can still be encrypted, but a determined hacker will have more opportunities to gain access through compromised keys. For example, if the key-storage token is left with the notebook computer (how likely is that?), the hacker may be able to simply plug the token in and gain access to the drive contents. Even multifactor authentication in this scenario is subject to attack by inspection, since the key token is not tightly bound to the system motherboard.

Still, when TPM-enabled encryption is not an option, pure software full disk encryption can still give you considerable peace of mind, as well as provide the "safe harbor" benefits afforded encrypted systems in data-privacy regulations. Software full disk encryption solutions have also been around long enough that they're available for most mobile computing platforms, including Linux and Mac OS X.

TPM technology changes to come

Although TPM full disk encryption with hardware-based encryption in the hard drive is the best you can do for data protection today, security researchers are constantly testing TPM's mettle and devising improvements to it.

One potential vulnerability of today's separate TPM chip implementation is that keys must be transported across conductors in the motherboard to the CPU for software-based full disk encryption, or to the hard drive for hardware-based full disk encryption. That could provide an entry point for a hacker. That's why a major vendor trend is to move all TPM-oriented data manipulation on to the CPU chip set in the form of customized silicon. Intel has advertised its vPro solution, which is part of the upcoming Danbury processor and Eaglelake chip set. This feature will perform all encryption and decryption for SATA and eSATA drives without involving the CPU, OS device drivers, or even the hard drive itself.

Such an approach could make TPM even more secure. But there's no reason to wait until such chips are standard in laptops. With today's TPM-equipped laptops, and with the software-based fallback option for non-TPM laptops, you have a platform for a consistent, manageable, secure deployment strategy. Consider yourself lucky if you've successfully dodged the stolen laptop bullet thus far. But don't tempt fate -- or hackers. Implement some form of laptop encryption today.

Tags encryption

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Mel Beckman

InfoWorld

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?