[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 662
  • Last Modified:

Need encryption solution compatible with Remote Access

Been using SecureDoc full disk encryption happily for a few years. Now want to do more remote access (GoToMyPC) but the preboot authentication process prevents access if the system reboots due to power failure, windows update forced reboot, etc.  Support says I can enable permanent authentication/logon that will authenticate automatically, allow the OS to load, and take me right to the Windows login screen. External boot devices couldn't get past the preboot so everything is safe as long as the Windows logon is not cracked, but I fear this is pretty easy to do.  Would partition encryption or a virtual encrypted disk/container be a better solution? Pros? Cons?  Software recommendations?  thanks in advance?
0
japple1
Asked:
japple1
  • 4
  • 4
  • 2
6 Solutions
 
dfxdeimosCommented:
TrueCrypt. Free. GPL. Full of win.

http://www.truecrypt.org/

As long as your passwords are complex then there is little chance of them breaking the password at the login screen. Generally the way the passwords are cracked in a Windows environment is by booting to a CD (or other device) and having a program on that device get into the SAM and decode the password.

If you encrypt your entire drive / partition this is not an option, as the SAM is encrypted. Booting from anything except the OS that is secured by TrueCrypt they will be unable to read the file structure.
0
 
Kelvin_KingCommented:
>>External boot devices couldn't get past the preboot so everything is safe as long as the Windows >>logon is not cracked, but I fear this is pretty easy to do.

You are quite right in saying that the Windows Login password is not easily cracked, except for bruteforce. However, there are work arounds. Take a look at this: http://en.wikipedia.org/wiki/Cold_boot_attack

What this attack does, is take a snapshot of your RAM, and using an encryption key finding algorithm tries to recover your disk encryption key. With you not at the computer, the attacker has all the time he needs and all the attempts he wants. I have done it a few times, and believe me, it's quite easy.
With the encryption key, he can then proceed to decrypt your entire HDD (but this is a more complex task).

You will be exposed to this vulnerability as long as you choose to bypass the pre-boot authentication (be it any other product you choose to use).

>> Would partition encryption or a virtual encrypted disk/container be a better solution

You are correct in suggesting this. And the previous expert was correct in recommending TrueCrypt. However he failed to explain why.

http://www.truecrypt.org/hiddenvolume.php

TrueCrypt is also a pre-boot full HDD encryption solution, just like WinMagic's SecurDoc. However, it allows you to create a TrueCrypt HiddenVolume.

This HiddenVolume looks just like a normal text file on in your folder. It's contents are garbage to th normal user. Using TrueCrypt's volume mounting tool, you supply a passphrase (could also be 2 factor, but since you are doing it remotely, that's not an option) and it will mount that file as a logical drive (e.g. E:\)

You then work from this drive and then unmount it when you are done.

So even if someone is able to brute force your Windows password, he'll still need to break your TrueCrypt hidden volume password (which I believe is not easy). In that sense, all your sensitive information is still protected.

My suggestion would be to download TrueCrypt, and just use their Hidden Volume feature. You can still continue to use SecurDoc. I can imagine in large enterprises, I don't think the Administrator will be too pleased of you changed their entire pre-boot solutions (as they won't be able to Administor patches to your computer etc...).

Hope that helps
- Kelvin
0
 
japple1Author Commented:
>>You will be exposed to this vulnerability as long as you choose to bypass the pre-boot authentication (be it any other product you choose to use).

Thanks for your responses. A little research can be a scary thing!!!  
http://www.physorg.com/news122820185.html

If I understand what I've been reading, even using a preboot authentication on a FDE system can not protect against these cold boot/ram decay attacks since the key remains in RAM after powerdown until it decays. The only solution is to overwrite RAM on shutdown, which isn't done.  Since ANY  system can be hacked given enough time, money and motivation, I just need to take reasonable precautions.  Given, why couldn't I just use the TrueCrypt volume strategy (SecureDoc I believe has a version that uses containers also) and avoid all the hassles of FDE and preboot?  I don't even think a hardware encrypted drive is a solution - no keys stored in RAM but to be accessible it would have to remain on and presumably already decrypted - am I right on this?

Another issue I failed to initially mention is that I use Acronis TrueImage for backups - it works fine with SecureDoc FDE but what about TrueCrypt - I couldn't find anything on that. I did read a post on Wilders that the workstation edition (Echo) supports imaging encrypted drives, but from what I can find, it is only sector by sector resulting in HUGE images. Anyone know anything different?



0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
japple1Author Commented:
http://www.truecrypt.org/docs/?s=unencrypted-data-in-ram

I just want to confirm from you TC knowledgeable experts that I am reading this page from TC website correctly: Dismounting a non-system volume in TC erases all the keys from RAM so there would be no trace of them if the computer were subjected to a coldboot attack after dismount?

Would this not be the ideal solution for my situation: remote access to the unprotected OS, authenticating/mounting the volume to work, then dismounting the volume after to clear the memory? What am I missing?  How is the FDE with preboot AND the TC volume a better solution?  With FDE and preboot, the key is still in RAM until clean shutdown, and therefore always accessible if the machine is left running, no?
0
 
Kelvin_KingCommented:
Quite a few questions there, I'll try to give you a good answer for them ; )

>> Given, why couldn't I just use the TrueCrypt volume strategy (SecureDoc I believe has a version that >> uses containers also) and avoid all the hassles of FDE and preboot?

You could. But IT Security is about defence in layers/depth. For that matter, I could just zip up all my sensitive documents into an archive and password protect it. There's a level of security there for sure, but is it enough? It all depends on the sensitivity of your information, and the policies put forth by your organization. If having full HDD encryption + an encrypted volume gives you a greater level of security without much more trouble, why not?

Regarding the SecurDoc containers, I believe you're referring to Compartmental SecurDoc (correct me if I misunderstood). That's different from a TrueCrypt volume. Each compartment represents a seperate operating system which you still need to boot into. TrueCrypt volumes are mounted once you boot into your OS.

>> Another issue I failed to initially mention is that I use Acronis TrueImage for backups - it works fine
>> with SecureDoc FDE but what about TrueCrypt

You should have no issues storing the TrueImage backups in the TrueCrypt volume as long as you allocated enough space to it.

>> Dismounting a non-system volume in TC erases all the keys from RAM so there would be no trace of >> them if the computer were subjected to a coldboot attack after dismount?

That is correct.

>> Would this not be the ideal solution for my situation: remote access to the unprotected OS,
>> authenticating/mounting the volume to work, then dismounting the volume after to clear the memory? >> What am I missing?

That is not ideal. Like I said in my previous post, does it cost you anything to NOT to remove the full HDD encryption. Having your entire HDD encrypted gives you that one more layer to protect your data. Keep in mind, that with full HDD encryption, your TrueCrypt volume is encrypted also. So think of it as a double encryption ; ). Even if you allow pernmanent authentication (i.e booting straight into Windows login from pre-boot), the entire HDD is STILL encrypted, the OS only decrypts what it needs at that time.

>> With FDE and preboot, the key is still in RAM until clean shutdown, and therefore always accessible >> if the machine is left running, no?

No. Most encryption solutions have released update patches which actually clear the keys in RAM during shutdown or hibernation. I'm not sure about SecurDoc, you'll have to refer to the release notes of recent patches.

Also, you should keep in mind that the information remains in RAM for a short period of time (about 1-2 min MAX), after that there's no way to recover it. So this attack really applies to cases of stolen notebooks (while it's still on). You won't be able to recover anything even after 5 min of leaving your computer off. So wait 5 min after you shut down your PC befor eyou go home ; )

Hope that helps
- Kelvin
0
 
Kelvin_KingCommented:
>> With FDE and preboot, the key is still in RAM until clean shutdown, and therefore always accessible >> if the machine is left running, no?

Sorry, I mis-read that question (3 AM here). You are correct ; ). The keys are accessible, and ripe for the pickings using a cold boot attack. I have verified that on a few disk encryption products.

- Kelvin
0
 
japple1Author Commented:
Kelvin,
Thanks for your detailed answers; I hear what you're saying about layers but I still don't see the value of the FDE if I bypass the preboot and boot right to windows logon. The data on the drive may still be encrypted but since authentication has taken place already, anyone with access to the machine can see everything except the TC volume. I believe when you permanently enable the auto authentication at boot, you must disable the GINA which gives you the option of locking the computer when the screensaver activates. I guess you could password protect on resume from the (windows) screensaver for a little more protection. I'll have to think about that one for awhile.

A couple of clarifications:
1. SecureDoc does have a "gold" version that actually allows the creation and mounting of containers; this is different than there Compartment version which I just learned about yesterday, and different than their mainstream "silver" version which I run.
2. My question regarding TrueImage was not about storing the backups but about actually creating the images. As you are no doubt aware, imaging and encryption don't play nicely together but I do have a process where I can image an encrypted SecureDoc drive. The image ends up unencrypted but it's a simple matter to re-encrypt it if disaster strikes and I need it. I was curious as to whether TrueCrypt works with TrueImage and will allow me to do a successful compressed image (not raw sector) like I can with SecureDoc?
3. You said TrueCrypt mounts volumes when the OS is loaded which is what I DON'T want. Is there not a way to load the OS WITHOUT mounting TC volumes until I want to access them? The preferences tab in the documentation for Ver 6.1 seems to indicate that you can optionally start TC after windows logon, and then optionally load volumes based on how you check the boxes. Perhaps that's new?
0
 
dfxdeimosCommented:
I can answer #3...

Yes, you can create TrueCrypt volumes in the form of those "hidden files" mentioned earlier and then either set TrueCrypt to mount on boot or just mount on your command.
0
 
Kelvin_KingCommented:
>> I believe when you permanently enable the auto authentication at boot, you must disable the GINA
>> which gives you the option of locking the computer when the screensaver activates.

Not necessarily. It might just boot you into Windows but you'll still be required to provide the GINA credentials. Does your remote desktop program (GotomyPC) allow you to do remote Windows Login?

>> I was curious as to whether TrueCrypt works with TrueImage and will allow me to do a successful >> compressed image (not raw sector) like I can with SecureDoc?

I'm not sure. I have not tried it before. I just back up the entire encrypted file into a network folder.

>> You said TrueCrypt mounts volumes when the OS is loaded which is what I DON'T want.

I wasn't clear on that. I ment that the volumes are mounted manually by the user when he is in the OS. The process is manual.

Hope that helps
- Kelvin
0
 
japple1Author Commented:
Thanks for your help!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now