One of the easiest ways to steal a company’s data is to physically steal the storage devices it uses on a daily basis: whether it’s the SSDs in its computer racks, those built into its employees’ computers, or the myriad of external disks and USB sticks used to exchange data or make backups.

How can you protect yourself from an attacker who is trying to steal storage units or copy their files? By fully encrypting the data stored on them. Windows, macOS and Linux now offer standard tools for encrypting internal and external disks: BitLocker from Microsoft, FileVault from Apple and LUKS from Linux distributions.

These technologies are all based on robust encryption algorithms (usually AES-XTS) and are capable of exploiting the extensions of modern processors, to minimize the impact of encryption on system performance.

Technologies that sometimes lack transparency

However, confidence in these data encryption solutions cannot be total. The source code of the tools offered by Microsoft and Apple, for example, is not freely accessible, and there is no real independent audit to guarantee that they contain no flaws or backdoors.

Two French solutions can effectively replace BitLocker (and a little less effectively – functionally speaking – FileVault). The first is VeraCrypt, a disk encryption tool maintained by IDRIX. It is available under an open source license and is included in the SILL (Socle Interministériel de Logiciels Libres) reference catalog of recommended free software for the French administration. This solution is reliable, but suffers from a lack of optimizations. 

The second is Cryhod from PRIM’X, a regularly audited offering that has been certified by ANSSI, Europe and even NATO.

The problem of encryption key management

In most cases, storage unit encryption keys are stored locally, either in the machine’s TPM, or in a vTPM for virtual machines. This mode of operation is not 100% secure, especially for virtual TPMs, and raises the problem of centralized management of encryption keys.

The implementation of a KMS (Key Management System) will enable the company to store and manage its encryption keys globally. And, if necessary, to revoke them in the event of compromise. The Oasis PKCS #11 standard comes to the rescue here to ensure key exchange between a computer and the company’s KMS. PKCS #11 interfaces are currently available for LUKS and VeraCrypt.

Cosmian kms (Key Management System) is integrated with Veracrypt and can provision secrets to open Linux LUKS (disk encryption system for Linux) encrypted partitions.
For more information and support, contact us.