What are the security implications of a drive that is partially encrypted

Article:TECH151280  |  Created: 2006-07-10  |  Updated: 2007-01-31  |  Article URL http://www.symantec.com/docs/TECH151280
Article Type
Technical Solution


What are the security implications of a drive that is partially encrypted


What are the security implications of distributing a drive that has not completed the initial encryption

On a normal NTFS partition, all data is stored in "plain text."

After you install EP Hard Disk or EA Hard Disk, and encrypt the partition, the plain text is run through an encryption algorithm (AES) and turned into
"cipher text." This means that the data on the drive is
unintelligible unless you have the workstation encryption key that was
used to encrypt the data. This key is accessed when the user
enters their password at the login prompt for either EP Hard Disk or EA Hard Disk.

Of course, this transformation from "plain text" to "cipher text" does
not happen instantaneously. Each sector of the hard drive must be
read, put into the encryption algorithm, and rewritten to the hard
drive as cipher text. Depending on the speed of the computer
hardware and the options chosen during initial setup of EP Hard Disk,
this process can take between minutes and days.

So what happens if the computer is distributed to the user before
initial encryption has completed? When you try to view the partially encrypted partition in a different installation of Windows, it prompts you to format the drive. This defeats the low-skilled attacker. But this is only because Windows is not attempting to recover your data; it is only attempting to make use of the drive.

In reality, part of your data is still stored in plain text. An attacker merely needs to know which tool to use to access this portion of the plain text. A very basic tool is a "hex editor." It will read the raw ones and zeros from a file and output them to your screen. There are more sophisticated tools,
such as "GetDataBack" which attempt to automate this process of making sense of these ones and zeros.

So, let us take the scenario of a user that has recently received a new
workstation. The machine is at 2% encryption, and the user quickly
copies a 1MB text file to the hard disk. She then shuts the computer down and goes away.

There is no guarantee that this data was encrypted as it was being
written to the hard disk. Only after initial encryption is complete, is all
data encrypted as it is written to the hard disk. So if someone
were to steal the laptop before she turns it back on and completes
initial encryption, he would be able to potentially view data in
plain text if the data is stored on a sector that has not yet been encrypted.

Legacy ID


Article URL http://www.symantec.com/docs/TECH151280

Terms of use for this information are found in Legal Notices