Momentus 5400 FDE.2: Data Encryption On-a-Drive

Why System Passwords Aren't Enough

I already described a possible and rather common situation whereby any one of us could unintentionally jeopardize important data. Although there are several ways to protect data on a hard drive, most of them do not offer sufficient protection against unauthorized access.

The first action for many users is BIOS password protection, which will prompt the user for a password before the system will boot. This can prevent your children from using your computer, but it is not a real security measure. Erasing the CMOS settings will often also erase the BIOS password, granting access to the entire system. If the intruder takes the time to set up a new password, you might even end up locked out of your own system until you erase the settings yourself. We do recommend setting a BIOS password, but only to protect the BIOS from unauthorized access. Since the value of getting access to the BIOS is rather limited, though, most people won't care much about it.

The second step is solid Windows authentication by means of your user name and your password. Although a strong password provides good protection against access to your Windows desktop - it should be ten or more characters, including numbers and capitals, and not anything that relates to you in any way - it does not adequately protect the data on your hard drive. If the intruder boots from another device, it is possible to access most of the data on the Windows hard drive (unless the drive is encrypted, which usually isn't the case). It can even be as simple as booting the Windows pre-boot environment (such as with BartPE) to access most of the data content. In addition, there are tools to access Windows' Security Account Manager (SAM) database to reset passwords. Finally, it may even be more comfortable for a thief to steal the physical hard drive and "work on it" at his leisure.

I already mentioned encrypting Windows contents. It is possible to encrypt individual folders within Windows XP Professional or Windows Vista (only with the business versions). Right-click on a folder and select "Properties", then click on "Advanced" on the tab labeled "General". The item "Compress or Encrypt attributes" allows you to enable encryption for this folder and all related subfolders. While this works as well as other file encryption tools, and is integrated with Windows, human error still has to be considered. You could simply forget to copy some important files into the protected folder, or decide to work on a large project file outside of the encrypted area for performance. In both cases, your data will remain at risk.

The only solution that can really be considered secure is a storage device that is based on security hardware. The Trusted Platform Module (TPM) approach is a good measure, as it ties together system components. Seagate does something similar with its fully encrypted Momentus hard drives, which come with a hardware encryption solution that works transparently on the fly. It also requires a certain software state before data can be accessed or modified.