0

I'm reviewing a ISO27001 Gap Analysis workbook and under Control A.11.2.7 someone has left the note:

If full disk encryption (FDE) is used on a device is there a policy in place to ensure the encryption is strong enough to cover the entire disk (including slack space, swap files and memory)

I can't find anything on google/stack around why FDE might miss slack swap and memory, does anyone know or can anyone explain why?

L23P
  • 103
  • 2
  • There are not many details about what FDE system you're talking about, but it reads a bit like it should prevent that a system uses, e.g., FDE for its data disk but not for the boot volume and then leaks data into swapfiles on the unencrypted disk/partition. – allo Nov 10 '21 at 16:52
  • On linux, it's possible to set up "disk" encryption so that it encrypts only a logical volume/partition instead of the entire disk. It's also possible to create a separate logical volume for swap. So if someone creates a separate volume for swap, and then encrypts only their main data volume, swap would be left unencrypted. – nobody Nov 10 '21 at 19:20

1 Answers1

0

The policy doesn't mentioned what mechanism is used for Full Disk Encryption, so I'll just assume they mean something like BitLocker or VeraCrypt. Both of these solutions encrypt the full disk - everything that's stored on the disk. This does not include memory and I'm not aware of any solution that would let you encrypt the contents of memory (I think you'd run into a chicken-and-egg situation if you tried). The only exception to this would be if your system uses a swap file to temporarily move data from RAM to the disk and back again. I would assume this swap file would be encrypted as its being written to the disk.

Dan
  • 619
  • 2
  • 7