Showdown: Full disk encryption vs. file-based encryption

Data at rest — it’s a term we see often on RFP questionnaires.

Customers want to know that if an attacker ever finds their documents, this “data at rest,” will be useless and unreadable.

Unfortunately, organizations often leave this data unprotected. Once an attacker gains access to the remote file shares, it’s simply a matter of traversing directories, finding the files they want, and copying them.

What’s a security-conscious administrator to do?

Easy: evaluate your full disk and file-based encryption options.

Start with full disk encryption

Sure, you could encrypt your entire hard drive, and you should!

However, this is only one layer of a good security policy. Experts will tell you that it’s always a good idea to utilize multiple layers of security in case one fails. Your policy should have many layers, like an onion.

In the world of information security, experts refer to this concept as “defense-in-depth.”

The problem with relying on full disk encryption is that it was never meant to fit the use case of the machines that are hosting files online 24 hours per day.

Typically, a user powers on a machine and enters the encryption key. The entire drive is then decrypted, and is not re-encrypted again until the machine is powered off. If a user were to rip the hard drive out of the machine, the files contained on this fully encrypted drive would be inaccessible to the attacker.

However, what if the attacker was able to compromise the machine hosting the files while it was powered on? Game over.

I don’t want to discredit full disk encryption, I merely want to state that it does not provide the level of protection that experts sometimes assume.

A good analogy would be locking the door to your house, but leaving all of your jewelry and financial information prominently displayed on your dining room table.

Once someone bypasses the door lock, they have what they’re looking for. In this way, once the hard drive has been decrypted (when the system boots up and the encryption key is entered), user files are no longer safe.

How can you stop thieves in their tracks?

Using OnBase Encrypted Disk Groups is analogous to storing your jewelry and financial information in a locked safe that only the owner knows the combination to. It’s an extra layer of defense, and an important one. While full disk encryption protects the user against theft of the hard drive, OnBase Disk Groups (and the encryption of files in general), protects the user against unauthorized access.

Even more secure: individual file encryption

One mitigation to this threat is to encrypt individual files in such a way that an unauthorized user cannot decrypt them. As an example, let’s say that your file server houses both medical and legal documents. You want to make sure doctors cannot access legal documents, and that lawyers cannot access medical documents.

If you are using full disk encryption, you can’t guarantee this requirement. Once a machine is powered on and the encryption key entered, any doctor or lawyer using the machine would be able to access any document on the system.

What you need is a system that encrypts individual files, and does not decrypt them until a user with rights to view documents tries to access them. If a doctor logs on to such a system and starts poking around, he would find that legal documents are encrypted.

Even if he were to try to export the legal files to a USB flash drive, they would be useless and unreadable because of the encryption.

As I mentioned earlier, our solution is Encrypted Disk Groups. When a customer configures its OnBase environment to use this capability, individual files are completely encrypted, and are not decrypted until a user with permissions logs on and opens the document.

If a user without permissions for the file were to somehow locate where the disk groups are stored on the file system, they would not be able to open any documents. The documents are encrypted using strong, industry standard encryption algorithms — either AES-128 or AES-256. When configuring Encrypted Disk Groups, the administrator can choose which algorithm to use.

The ultimate security approach: full disk encryption + individual file encryption

Both of these security measures are imperative. Full disk encryption is important and a good start, but file encryption is a way to build on that to make the system even more secure.

So the next time you are asked, “How are our files protected?” have a discussion about the pros and cons of full disk encryption vs. file encryption. You may find out you’re not defending against all of the threats to your organization.