Jon Collins, originally published on The Register
Given the origins of computing in the coding and decoding of messages, it’s fair to say that the heritage of encryption is as noteworthy as what we now call IT. Indeed the principles of algorithmic codification of data, and the maths behind them, go back way beyond the illustrious efforts of Alan Turing and his ilk in the Second World War.
It’s ironic then, that given all the kerfuffle around data privacy (much of it merited), we are making so little use of encryption for local data on our desktops and laptops. The phrase ‘in clear’ refers to any data that has not been encoded in some way, and while most folks are familiar with the little padlock that appears in a Web browser when a secure communication is taking place, for the majority of time we appear perfectly happy to walk around with laptops stuffed full of sensitive data, or indeed with a USB stick or two in our pockets and bags, containing temporary copies of files, most of which (sticks or files) we have probably forgotten were there.
“Shouldn’t it all just be encrypted?” asks the innocent observer. It’s a fair question – products have existed for many years from the likes of PGP, and these days Microsoft Windows builds it into the operating system, in the shape of BitLocker (as do Apple and various flavours of Linux). However, a number of valid reasons exist as to why we’re not encrypting our drives, internal or external. Putting all-too-human traits of laziness and postponement to one side for a moment, let’s take a look at them.
For a start, encryption does have an overhead. Algorithmically, there is such thing as a ‘base level’ of weak encryption, in that more simple techniques do ensure the casual viewer cannot access data unless they really want to – a laptop thief, for example, may be more interested in selling the device on than knowing too much about what it stored. However, simpler algorithms are not sufficient to protect against whoever might try to break the code, which means they can’t really be used in any situation where sensitive data is involved. More complex algorithms are more processor-intensive, as anyone knows who has tried to run full-disk encryption on an underpowered machine.
Thus the question is why not just encrypt the sensitive data? The trouble with this model is that it leaves things in the hands of the sometimes unreliable user. I don’t know about you, but I can think of times when I probably should have created a password-protected Zip file before sending a certain document out into the ether, or loading it onto a USB stick. The decision-making process is further complicated by knowing what is sensitive and what isn’t, particularly given that sensitivity can change based on circumstances.
The end result is that historically, if the options have been all or nothing when it comes to encrypting locally stored information, the default has tended to be ’nothing’. It is questionable whether this could ever change without encryption being built into the device itself – which comes back to the question of raw power to run the algorithms. In the past, full disk encryption was just too resource-hungry to be usable, particularly given the fact that the (frequently accessed) swap file also needs to be encrypted in real time.
More recent desktop computers are powerful enough to drive, and in some cases enhance harder-to-crack encryption algorithms such as AES, enabling the option of running encrypted devices as standard. This takes away the need to worry about whether or not a certain piece of data should be encrypted, and indeed it removes the risk of forgetting. But full-disk encryption brings with it another challenge, that of key management. For an individual user installing their own software it’s not such an issue – you set up your own password and keep tabs on it in the normal way (hopefully not by writing it on a post-it and sticking it on the wall). Meanwhile, for a company, keys need to be managed at a central point. While tools exist for this, someone needs to maintain them and respond to user requests when keys are forgotten.
But locking down the computer may not be enough, as the next weakest link is the USB port and those pesky thumb drives. Do these need to be locked down too, perhaps only allowing encrypted drives to be connected? Or is that another step too far for Joe Average? For these reasons, many organisations it may find this too complicated to implement as a blanket corporate standard. For every device or USB stick we lock down, there will always be another five that remain capable of storing information in clear, from MP3 players and phones to SD cards.
For many others however, what with regulation looming larger across a number of sectors, there may be no choice. Not only does encryption help support compliance, it also offers a “get out of jail free” card with respect to some legislation, for example it avoids the obligation to disclose theft of sensitive data as required by some US states.
Drive encryption is only one part of the answer of course – data needs to be protected during transmission and in use, as much as it does when sitting on a hard drive. But while it certainly fills a gap technologically, it remains to be seen whether it will become something we just expect, rather than something we bolt on.