3

It is customary to protect certain critical files with a password. For example: PGP keys, VPN keys, password managers, etc. The practice dates back to before full disk encryption being common.

These days, people tend to have full disk encryption. I realise that there is still a small security benefit from password protecting critical files. But a small benefit, set against a non-trivial cost of using passwords. How can an organisation decide, in a consistent and repeatable fashion, whether the minor benefit justifies the cost of password protecting?

Some things to consider:

  • What exactly does password protecting guard you against? What specific scenarios are you vulnerable to with FDE, but no passwords on critical files? Are you protected if you also use passwords on those criticial files? Are these realistic scenarios?

  • What configuration details of the laptop affect this decision? For example, password-based vs TPM-based encryption? How relevant are defences like automatic screen locks?

  • What password management processes are users expected to follow? Can the user use the same password for full disk encryption as for critical files? If not - how do you stop them?

I am aware that the particular decision for each individual organisation is subjective. However, to be completely clear, I am asking how a infosec professional would guide an organisation through making this decision - my question here is non-subjective.

paj28
  • 33,442
  • 8
  • 96
  • 133

3 Answers3

2

TL;TR

It really depends on the organization. Things to consider:

  1. How seriously do they take security?
  2. Is there a lot of travel that would lead to an increased risk of compromise?
  3. Is a stolen computer or physical removal of a drive a risk?

The overhead for putting this into place is low. For a large company with lot of company travel it's worth it to keep data safe. In this day and age I honestly don't believe you can be too careful. To guide them outline the risks that are involved in insecure data on a day to day, and explain the solutions are relatively non-invasive and simple to implement. That's my $0.02.

Details

What exactly does password protecting guard you against? What specific scenarios are you vulnerable to with FDE, but no passwords on critical files? Are you protected if you also use passwords on those criticial files? Are these realistic scenarios?

FDE protects an entire volume. If that volume is separate from the bootable volume then you can take care your files are protected while on that volume and the volume is unmounted. Assuming recommended good security configurations are used. Generally once the volume is mounted it is accessible. If the files leave that volume then they are unprotected, and if they are sensitive should be password encrypted.

If the volume is bootable, then once the BIOS boots up and the correct password is entered the entire volume is decrypted and accessible*. This means that active attacks against your machine can access your files no problem. In this case you absolutely need to protect any files you consider sensitive.

What configuration details of the laptop affect this decision? For example, password-based vs TPM-based encryption? How relevant are defences like automatic screen locks?

There are lots of configuration details that can effect FDE. These all depend on that you're using.

TPM-based encryption is good if you're worried about your hard-drive being physically removed from your computer. A TPM ties the FDE'ed volume to a specific device. The encryption keys are stored in the TPM and only in the TPM. However this alone isn't fully secure. With this configuration the computer will be FDE'ed, but boot up without any password authentication. Some solutions offer to configure a password, or physical USB key in conjunction with the TPM. This provides the authentication while keeping the actual encryption keys in hardware. This is the best solution as keys held within the TPM are secure and no piece of software has them in memory. Bitlocker provides for this configuration. This answer contains an interesting paper about cold-boot attacks against FDE solutions.

Automatic screenlocks are always a good idea. If someone tries to bypass by rebooting they'll run into the FDE. If someone has your password... well something went terribly wrong.

What password management processes are users expected to follow? Can the user use the same password for full disk encryption as for critical files? If not - how do you stop them?

Password management is probably the most important part of all this. It's bad practice to use the same password for more than one purpose. I don't believe that this is enforced in software solutions. There's no secure way to enforce this. If the software is doing things correctly with salted passwords there's no way for the software to tell if a password is used in more than one instance. This is truly up to the user. I would not use the same password for sensitive files as I used for the FDE.

Community
  • 1
RoraΖ
  • 12,457
  • 4
  • 52
  • 84
1

To paraphrase you: "these days" people also dump everything in cloud storage, and mail it all over the world.

Once the files leave the encrypted disk, the only protection they have is the password.

And since you are talking about 'an organization' it is hard to predict peoples' behaviour about this. Your users may be "expected to follow password management processes" but that does not guarantee that they always will.

Keep the password encryption

0

Whole disk encryption and file/folder encryption (potentially) address two different issues. Whole disk encryption protects the owner of the computer, while file/folder encryption (can) protect the owner of the data. Often these are two different people.

Neil Weicher
  • 101
  • 1