-1.png?width=350&height=117&name=iuvo_logo_blue_Transparent%20(1)-1.png){kind=logo}
by Jeff Ouellette
Being a consultant and working for many organizations, we get exposed to a number of environments and quite a bit of sensitive data. While we are careful not to keep a lot of client data on our laptops (most of which is located in our datacenter or left on the client network), the security of the data that does reside on our laptops is paramount. We require that all of our laptops have disk encryption. We used to use TrueCrypt, but this has been deprecated and we have since moved to Bitlocker from Microsoft. There are other products such as VeraCrypt, DiskCryptor, Ciphershed, FileVault 2 or LUKS depending on what your operating system or requirements dictate.
In whole disk encryption, the entire hard drive including the data, the program files, the applications and even the free space is encrypted and a password is required during the boot process to unlock the drive and to decrypt each block as it is required. As you can imagine, this results in a significant performance degradation as the system needs to decrypt each block before it's used and encrypt each block before it's written. In many ways, this process is relatively secure in that the hard drive couldn't be taken out of the computer and read in another one. Unfortunately, it also meant that you could not use many of the recovery tools for when the operating system had issues or corruption, nor could you use a program like Acronis or Ghost for disk imaging without copying each sector of the disk (making images very large and removing the efficiencies of dedupe and compression). The advantages, of course, was that we didn't need to think about where sensitive data was stored or whether it was in an encrypted area. Everything was encrypted, so it was a safe and easy way of both being secure and not having to think about it.
Enter solid state drive (SSD) hard drives. A solid state drive is significantly faster than a traditional platter based hard drive for reading data. It has no moving parts, it's significantly quieter and it uses less power. Sounds perfect for a laptop, right? Yes, but it comes with it's challenges too. For one, it runs significantly more expensive than a comparable traditional drive and they come in much smaller capacities. Second, while write speeds are on par with or slightly less than traditional drives, the number of writes you can make to the disk is limited. Testing has shown the average lifespan of a SSD to be 3-5 years because in essence you wear out sectors on the drive and that data needs to be moved to a sector that doesn’t have as much wear.
The Dilemna. Given the difference in how solid state drives operate from traditional drives, you can probably see that whole disk encryption is no longer the best option. First, solid state drives run optimally when you leave a number of sectors free so that data can be reassigned when a sector is used too many times. Whole disk encryption uses every sector (it encrypts free space as well) and often changes a number of sectors on different places all over the disk so that it makes reassembling the data more difficult as well as identifying the data. Second, whole disk encryption increases the number of writes on the disk and with the limited writes of a solid state drive , you could in fact reach the end of life on the solid state drive much sooner.
The Solution. Utilize a second drive that can be encrypted or create a virtual encrypted drive as a file inside the solid state drive. Obviously the first option is a better solution because it allows you to use a traditional drive for the data that changes the most, but the second option also provides advantages over whole disk encryption. In both scenarios, you get performance increases and the benefit of using native tools to deal with backup, imaging and recovery tools. You also get the benefit of properly managing free space on your solid state drive and potentially less write operations. So how do you make sure that you have all your important client data backed up? With Microsoft Windows 7, you can redirect almost every area of the user profile such as the Desktop, Documents, Music, Videos, etc as well as Microsoft Outlook cache files and other transient data so that you can be sure that client data is encrypted. The trick is to do the work of determining where all the sensitive data resides, not just the data, but any cache and temporary files that could have value if the laptop were lost or stolen. Of course, moving the data to another drive is no substitute for having a good backup process. In fact, anytime you are using encryption, your backups become even more important.