Why and how to secure data on your storage units?  

| by Sandrine | May 23, 2024 | Disk Encryption

One of the easiest ways to steal a company’s data is to physically steal the storage devices it uses on a daily basis: whether it’s the SSDs in its computer racks, those built into its employees’ computers, or the myriad of external disks and USB sticks used to exchange data or make backups.

How can you protect yourself from an attacker who is trying to steal storage units or copy their files? By fully encrypting the data stored on them. Windows, macOS and Linux now offer standard tools for encrypting internal and external disks: BitLocker from Microsoft, FileVault from Apple and LUKS from Linux distributions.

These technologies are all based on robust encryption algorithms (usually AES-XTS) and are capable of exploiting the extensions of modern processors, to minimize the impact of encryption on system performance.

Technologies that sometimes lack transparency

However, confidence in these data encryption solutions cannot be total. The source code of the tools offered by Microsoft and Apple, for example, is not freely accessible, and there is no real independent audit to guarantee that they contain no flaws or backdoors.

Two French solutions can effectively replace BitLocker (and a little less effectively – functionally speaking – FileVault). The first is VeraCrypt, a disk encryption tool maintained by IDRIX. It is available under an open source license and is included in the SILL (Socle Interministériel de Logiciels Libres) reference catalog of recommended free software for the French administration. This solution is reliable, but suffers from a lack of optimizations. 

The second is Cryhod from PRIM’X, a regularly audited offering that has been certified by ANSSI, Europe and even NATO.

The problem of encryption key management

In most cases, storage unit encryption keys are stored locally, either in the machine’s TPM, or in a vTPM for virtual machines. This mode of operation is not 100% secure, especially for virtual TPMs, and raises the problem of centralized management of encryption keys.

The implementation of a KMS (Key Management System) will enable the company to store and manage its encryption keys globally. And, if necessary, to revoke them in the event of compromise. The Oasis PKCS #11 standard comes to the rescue here to ensure key exchange between a computer and the company’s KMS. PKCS #11 interfaces are currently available for LUKS and VeraCrypt.

Cosmian kms (Key Management System) is integrated with Veracrypt and can provision secrets to open Linux LUKS (disk encryption system for Linux) encrypted partitions.
For more information and support, contact us.

Our latest news

— There are no limits

Find us on
the Marketplaces

Regain control now on your data and applications in the cloud, subscribe to our cloud marketplaces offering on AWS, Azure and Google Cloud.

Cosmian makes no tracking for advertising and does not collect any personal data. Cookies are used for statistical or operational purposes, as well as for analysis, allowing for continuous improvement of the website. Cosmian uses the Matomo Analytics tool, an audience measurement solution that uses cookies with a configuration that complies with the data protection legislation and the recommendations of the CNIL (Commission Nationale de l'Informatique et des Libertés). This configuration allows to anonymise visitor's data and to limit the storage period of this data to a maximum of 13 months. With this configuration, the prior consent to the deposit of Matomo Analytics cookies is not required. However, you can still choose not to allow these cookies by clicking below or at any time by consulting our Privacy Policy.

You may choose to prevent this website from aggregating and analyzing the actions you take here. Doing so will protect your privacy, but will also prevent the owner from learning from your actions and creating a better experience for you and other users.

This opt out feature requires JavaScript.