The Latest Urban Legend: Cracking PGP Whole Disk Encryption (again…and again…)
Folks, the holidays are almost once again upon us. I sit here today trying to clear off my deliverables before I go on vacation. But you know what? The year simply would not be complete without having to respond to yet another claim of a 3rd party tool being able to decrypt/access a system encrypted by PGP Whole Disk Encryption.
So Here We Go Again…
This morning, I was made aware of a claim made by ElcomSoft that their product could decrypt PGP containers (as well as other Full Disk Encryption competitors). After reading through their blog and discussing my thoughts with the Symantec Encryption Engineering team, we have come to the conclusion that this claim is false! There’s truly nothing to see here.
The Weakness is NOT the Crypto Containers
I would agree that the human factor is probably the weakest link when it comes to securing your system. How many people use a cable lock to lock down their laptops in their office? I don’t. How many people lock their screens before getting up to use the restroom? I do. Yes, the keys are held in memory so the system can read and write information in real time vs. being asked constantly for your passphrase. Protecting anything has always been a balance of security and convenience.
Imagine you’re working on your garden. Do you lock the door when you go out to your lawn and realize you forgot your gardening gloves? You pull your house keys out, unlock the door and go in to grab your gloves. You come back out and lock the door again only to realize you need to go back in because you forgot your hat. Wouldn’t it be easier to simply leave the door unlocked while you’re there so you can go in and out as you need?
Retrieving Decryption Keys in an Ideal World
When a system is encrypted with PGP WDE, it is NOT possible to access encryption keys from the hibernation file when the system is in its hibernation state or shut down. PGP WDE encrypts the entire disk, including any hibernation partition or hibernation file. If you could extract the hibernation file out, you could view it – but the contents would be fully encrypted, just like anything else on the disk. So it would be useless to you.
In an ideal situation you could potentially retrieve the keys when the system is powered on. But at this point you already have access to the system. Why would you bother retrieving the keys when you could simply copy the data then and there?
A system left running, but unattended, is vulnerable to tools and attacks that read encryption keys from the memory of the running system. If you are concerned about such an attack, always hibernate or shut down your system when it is not physically secure.
Rinse and Repeat
I wrote a blog in early November responding to a claim made by Passware to “instantly decrypt PGP.” The claim being made by ElcomSoft’s Forensic Disk Decryptor product is similar to the one made by Passware in November. I fully expect to post more blogs in the future to point out the fallacies in claims made by 3rd party companies’ abilities to decrypt PGP WDE.
And on that note, I’d like to wish everyone a very safe holidays and new years!