Disk encryption

Disk encryption is a technology which protects information by converting it into code that cannot be deciphered easily by unauthorized people or processes.

Trusted Platform Module (TPM) is a secure cryptoprocessor embedded in the motherboard that can be used to authenticate a hardware device.

These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device.

The TPM can impose a limit on decryption attempts per unit time, making brute-forcing harder.

Hardware-based full disk encryption within the storage device are called self-encrypting drives and have no impact on performance whatsoever.

The Trusted Computing Group Opal Storage Specification provides industry accepted standardization for self-encrypting drives.

External hardware is considerably faster than the software-based solutions, although CPU versions may still have a performance impact[clarification needed], and the media encryption keys are not as well protected.

It is important in all cases that the authentication credentials are usually a major potential weakness since the symmetric cryptography is usually strong.

[clarification needed] Secure and safe recovery mechanisms are essential to the large-scale deployment of any disk encryption solutions in an enterprise.

[7] Even a Trusted Platform Module (TPM) is not effective against the attack, as the operating system needs to hold the decryption keys in memory in order to access the disk.

All software-based encryption systems are vulnerable to various side channel attacks such as acoustic cryptanalysis and hardware keyloggers.

In contrast, self-encrypting drives are not vulnerable to these attacks since the hardware encryption key never leaves the disk controller.

Solutions for storing the external key include: All these possibilities have varying degrees of security; however, most are better than an unencrypted disk.