Full disk encryption: possible to tie key to particular BIOS/Laptop?

0

The organisation I work for has laptops outfitted with FDE-drives, i.e. drives that encrypt data on the fly such that in the case of a stolen laptop, no data can be retrieved by removing the HDD. While this protects us against malicious outsiders, evil employees can still switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves.

In short, what would solve this problem is having (a part of) the encryption key saved in the BIOS, such that another computer would be unable to decrypt the drive. Is there a way to do this, or, how do other organisations deal with this security risk?

pberlijn

Posted 2012-09-16T13:01:18.343

Reputation: 6 138

"switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves" Are you sure this is possible to do? Why could a thief Not do the same thing as the evil employee? – Moab – 2012-09-16T16:47:44.667

Moab: Thief is unable to decrypt the disk. Employee knows passphrase to unlock his drive. – pberlijn – 2012-09-17T13:30:00.303

Why does the evil employee have passphrase to someone else's drive? – Moab – 2012-09-17T15:00:47.570

He has the passphrase to his own drive. The drive which holds the OS that he is not allowed root privileges on (with a number of reasons). – pberlijn – 2012-09-17T22:03:34.200

Answers

2

I think you should be looking at TPM (Trusted Platform Module) solutions. They are built into majority of professional laptop lines.

This article mentions the solution explicit - Disk encryption:

A limited number of disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail

wmz

Posted 2012-09-16T13:01:18.343

Reputation: 6 132

1Better than the answer I was just writing. :) OP: Make sure you (or your IT) has some way to get at the data on the drives OR make sure there is no essential local data on the laptop at all. Motherboards do die and then your own security gets in your way. – Hennes – 2012-09-16T13:34:11.940

+1 this is one of the things tpm was designed to help with. Just remember, the bad guys cant get your data without that motherboard working...and neither can the good guys! Make sure you have a way to recover the data when (not if, when) something goes wrong. – Grant – 2012-09-16T13:49:31.853

Asked: 2012-09-16T13:01:18.343

Viewed: 463 times

Active: 2012-09-16T13:18:21.247