2

I use Check Point Full Disk Encryption, but hope that this question can be answered generally. Is it possible for me to get, or extract, my own 256-bit AES key? By the way, I don't use any special password for the decryption itself, so this key must be based on my Windows login password alone (which you can assume is long enough to prevent cracking).

(Why? It would be nice to write the key down in case some problem comes up. I understand that the key can be pushed into "the cloud" and I could contact someone at the company if some problem ever came up, but there's some peace of mind in having it written down in my home. And, I understand that this allows a thief to steal that note and my hard disk, thereby getting all of its information, but I don't want to start this philosophical discussion here.)

As I see it, Check Point could reveal the key within its pull-down menus if it wanted to but probably chooses not to. Further, I would guess that the Windows 7 DPAPI prevents any other software from extracting the key even after I've logged in (and thereby given that software full permission to do anything, including physical access and decrypted access of the hard drive).

My goal here is really to confirm both sentences in the above paragraph. More generally, I'm curious about whether DPAPI, using the login password alone, can truly prevent any mischievous application (with full permissions and physical hard disk access) from determining the protected data of any other application...but I guess that probably was Microsoft's design goal.

Adi
  • 43,808
  • 16
  • 135
  • 167
bobuhito
  • 230
  • 1
  • 8
  • "extort" was intentional to connote "get using any creative way possible" (sorry, there's probably a better word) – bobuhito Dec 16 '13 at 14:05
  • Yes bobuhito, you want to **export** they key, which is why I changed it in the edit. Extortion is the act of obtaining something through the threat of physical force, it's not the word you are looking for. – GdD Dec 16 '13 at 14:07
  • @GdD I fully agree with you, "extort" here is ridiculous. How about "extract"? – Adi Dec 16 '13 at 14:28

1 Answers1

2

Yes, as a general rule Full Disk Encryption software - especially business products like Checkpoint - includes some way of backing a recovery key up. Check the documentation or ask your IT department.

By the way, it's not using your Windows logon. After all, windows is on the encrypted disk too, so it has to be unlocked long before you get to the logon prompt. If you are not being prompted for a password, it's likely using a TPM chip that automatically decrypts the drive whenever you power up the machine, so the key isn't even stored on the disk.

Graham Hill
  • 15,394
  • 37
  • 62
  • I agree with @GrahamHill, I would be very surprised if there was no export feature in the software. – GdD Dec 16 '13 at 14:40
  • I did mention a cloud way of backing it up, so that's kind of what you're saying...if Check Point had a way for me to just see the key, I'm still waiting for someone to tell me the procedure. Also, I don't think I have a TPM (I have no Security devices in my Devices Manager) and I think the Windows password could be used for decryption because the password itself is not on the disk at all, just a hash. – bobuhito Dec 16 '13 at 14:48
  • You'd have to go to Check Point for specific details on exactly how their product works; I was answering generally to keep the question open. – Graham Hill Dec 16 '13 at 16:20
  • You can't use a key on the disk to unlock the disk, in the same way that you can't use a key stored in a safe to unlock the safe. You have to keep the key (or a password that generates the key, or course) somewhere else: in a TPM, in your head, on your fingerprint, in a smart card, etc. If you never move the key from outside to inside the computer, it means the key is already inside, which (hopefully) means a TPM. – Graham Hill Dec 16 '13 at 16:28