Security Advisor

The Problem with Disk Encryption

Here's a dirty little secret: When an encrypted hard drive goes bad, data could still be permanently lost.

• By Joern Wettern
• 02/01/2010

Full Disk Encryption (FDE) is one of the most effective ways to protect confidential data on laptops, but there's a dirty little secret that many FDE vendors don't mention: When an encrypted hard drive goes bad, your data could be permanently lost. Fortunately, there are steps you can take in advance to minimize the risk of having to say: "Sorry boss -- your files are lost for good."

Recovery Scenarios
When you implement FDE you have to plan for two types of recovery: gaining access to a drive after a user has lost or forgotten pre-boot authentication credentials, and getting to the data on the hard drive from which the computer no longer starts.

Pre-boot authentication occurs before Windows starts, and all FDE solutions include some method for getting access to the drive when a user can no longer authenticate. This may be a recovery key, a recovery password or an emergency log-on account. Regardless of the method, once you're familiar with the process, make sure that the recovery information is centrally backed up, test your recovery strategies, and you're set.

As you prepare, make sure you have all scenarios of the forgotten pre-boot password or lost token covered. For example, will you be able to access a computer after a user leaves your organization? How will you help a user who's traveling and forgets the computer's pre-boot PIN?

A more complicated scenario is a hard drive that has developed a physical defect or is experiencing problems that prevents booting to Windows. When this happens a user may be able to successfully authenticate at the pre-boot stage, but can't get to the Windows log-on screen. And because the disk access depends on Windows drivers that handle the encryption, you can't run tools to repair Windows. Your choices at this point depend on the exact symptoms, but planning ahead for different recovery scenarios will vastly improve your chances of recovering crucial data, as well as minimizing downtime.

Quick and Dirty
The quickest way to deal with an inaccessible encrypted disk is to simply give the user a new laptop, and re-image the old laptop's disk. Of course, this will erase all data on the laptop, but that may not be a problem if this data also exists on a server or can be re-created easily.

One way to set the stage for this type of "recovery" is to move all user documents to a server share and configure cached offline copies on the laptop. Offline files can be edited while a user is traveling, but they're automatically synchronized when the user is back in the office. You can also use log-on scripts to back up data to a server each time a user logs onto the network.

Even with such a strategy, the most recent data has probably not been synchronized with a server. However, re-creating what has changed on the laptop may be quicker than trying to recover the data.

The Hard Way
As with the recovery of pre-boot credentials, it's absolutely essential that you back up the computer's disk encryption key -- and also that you can access this key when you need to recover data.

The specifics of how to do this vary among FDE solutions, but regardless of what product you're using, if the laptop's hard disk holds the only copy of the encryption key you won't be able to recover any data.

Some FDE solutions let you boot Windows PE or Linux from a CD or USB stick to which you've copied the backed-up encryption key. This can speed up the recovery process because it may allow you to copy all of your important data files off the hard drive and then simply re-image the drive. If your FDE solution supports such a scheme, makes sure that you're familiar with the process, and that you have any required boot media prepared in advance.

If your FDE solution doesn't support booting from alternate media or you need to rescue more than just a few data files, expect data recovery to take longer and be more involved. Only a few problems, such as a corrupted partition table, can potentially be repaired while the disk is encrypted. Most other problems, including bad disk sectors and missing Windows files, require that you decrypt the disk before you can attempt any repair. This generally involves starting the computer from a CD or USB stick, and then running a utility to decrypt each sector. Again, this requires that you backed up the encryption key. You can also expect this process to take several hours.

Once the disk has been decrypted, you're still not out of the woods. You'll need to resolve the underlying issue, a process that could range from repairing Windows to sending the drive to a recovery service.

Preparation Counts
No matter which FDE product you're using, you're bound to experience the occasional glitch or drive failure. As with any recovery scenario it's crucial to prepare for recovery. The worst time to figure out what to do is when you have someone breathing down your neck as you're trying to restore access to urgent data.