A "Best Practice" is commonly defined as "a technique or methodology that, through experience and research, has proven reliably to lead to a desired result. "Best Practice" is not about "perfection", its about getting the job done.
In the context of the next series of paragraphs, sentences, words and occasional doodle, Best Practice is all about sharing knowledge about lessons learned in deploying Novell ZENworks Full Disc Encryption (ZFDE) to ensure the highest degree of success.
What does Novell Full Disk Encryption do?
Novell Full Disk Encryption provides sector-based encryption for standard IDE, SATA, and PATA hard disks. All disk volumes (or selected disk volumes) are encrypted, including any temporary files, swap files, and operating system files on the volumes. The data cannot be accessed until a valid user successfully logs in, and the data can never be accessed by booting the device from media such as PXE, CD/DVD, floppy disk, or USB drive. Literally, everything is encrypted including that browser history you'd rather not be made public. For an authenticated user, accessing data on the encrypted disk is no different than accessing data on an unencrypted disk.
Hardware and Software based encryption
Encryption can work in two ways:-
1. Hardware-based FDE
This provides support for hard drives that use an on-board hardware encryption chip. All data written to the drive or read from drive passes through the hardware encryption chip first. This approach does not have a performance impact on operating system or applications as all encryption / decryption is done on a dedicated processor on the drive itself. The Encryption Key is supplied on the drive by manufacturer. Currently only Seagate Momentus FDE.x Drives are supported for hardware-based FDE with support in a future release for drives adhering to the TCG's OPAL Standard.
2. Software-based FDE
Used for machines with "standard" drives in them and can be used on most drive types and sizes. The drive must undertake an initial encryption process and the time required varies with whether or not entire drive is encrypted or just used sectors. Encryption happens at sector level – not the file level.
There are a number of factors that you'll need to take into account before commencing deployment. The minimum is given here; you will need to adjust depending on your I.T environment and organizational policies / structures.
ZFDE is fully integrated with and managed by ZENworks Configuration Management (ZCM). The range of supported platforms for ZFDE is a subset of those for ZCM, namely:-
NOTE: Future versions of ZFDE will support Windows 8.
Free space requirements.
If using Hardware-based FDE, the drive must have 130 MB of disk space available. The free space required when using software-based FDE varies depending if the PBA will be used (Pre-Boot Authentication is a hardened Linux OS that must be authenticated to first before Windows is started). With PBA 230 Mb is needed; without 95 Mb.
The PBA resides on a primary partition on the System Drive and Windows only allows 4 primary partitions. Windows newer than Windows XP, have a 100 Mb disaster recovery partition as the first partition on the System Drive. This leaves 3 partitions available.
The partitions must be Windows basic disc types; Dynamic is not supported.
NTFS must be used for existing partitions.
SATA and SSD drives are supported, including hybrid drives that combine both technologies; SAS / SCSI controllers are currently not supported.
Pre-boot authentication is the process of authenticating a user to a device before the device boots to the primary operating system. For ZENworks Full Disk Encryption, the ZENworks Pre-Boot Authentication module, referred to as the ZENworks PBA, performs this operation on a device. The two primary advantages of using the PBA are:-
1) It adds another layer of authentication before Windows starts, an extra padlock if you like.
2) Protects against attack vectors for devices that have FireWire ports. This simple attack takes advantage of the FireWire protocol and its ability to directly access and modify the RAM of a target machine with a FireWire port installed. Using a simple and readily available forensics software tool, it is possible to connect a FireWire cable to a computer, and within seconds bypass the Windows authentication and log in as a local administrator. This method has also been adapted to capture the security keys used to decrypt and encrypt the disc.
The primary disadvantage of using PBA is hardware support. The ZENworks PBA is hosted by a fully hardened Linux OS installed on the device which is protected against changes. The PBA uses Direct Media Interface (DMI) to do a "soft reset" into Windows after the end user has authenticated. Older or brand new machines, or ones that simply have badly written BIOS may not work properly with the PBA Kernel's default settings. You can change the settings for those naughty devices so that the soft reset works. Another disadvantage is the hardware support contained with the Linux kernel; very new hardware may not be fully supported.
Also don't forget that PBA introduces a visible change on users devices. If end users are comfortable with normal Windows login procedures and are resistant to change then this could cause acceptance issues. Whether you use PBA or not, ZFDE is active and prevents disk access until authentication is successfully completed.
You may now be forming the view that the additional security protection offered by using PBA outweighs any potential clash with BIOS and hardware drivers. Deploying FDE without using PBA for devices that have FireWire ports sounds rather building a deep moat around your office complete with a stolid drawbridge which you then leave in the down position.
Unless you're using ZENworks Endpoint Security Management ( ZESM ) that is. One of the capabilities of ZESM is port control and one of those ports that can be disabled is the FireWire port. With ZFDE and ZESM, you can safely use Windows only authentication and be protect against potential FireWire port based comprise attempts.
Encrypt entire disc or just used sectors
Unless you have Seagate Momentus drives which support hardware-based encryption then you'll be using software-based encryption. With software-based encryption, the drive needs to be encrypted. The time required to do this will vary depending on if you have selected the entire drive to be encrypted or just used areas. As a rough estimate it takes 30 – 40 minutes for every 10Gb worth of data.
Existing FDE applications
If you have already deployed another vendors full disk encryption application, it will need to removed before deploying ZFDE. On removal, it is likely that the drive will be decrypted but you will need to check that this is the case. Allow time for the decryption process to complete before deploying ZFDE.
Chkdsk (Chkdsk.exe) is a command-line tool that checks volumes on your hard disk drive for problems. The tool then tries to repair any problems that it finds. For example, Chkdsk can repair problems related to bad sectors, lost clusters, cross-linked files, and directory errors. Chkdsk must be run by an administrator or as someone who is a member of the local Administrators group. It is critical that chkdsk is run on every device before ZFDE is installed and there is an option in the ZFDE policy definition to do this. Alternatively create a ZCM bundle which installs and runs a batch file that has the following content
Echo Y | chkdsk /r
CHKDSK will run the next time the device is restarted. You may force this as part of the bundle.
Make sure to do interoperability testing on your hardware prior to deployment. You will need gather a representative samples of all hardware and test in a lab environment. This will indicate configuration changes for ZFDE if using PBA. There may be device BIOS changes also required for PBA depending on the hardware.
You are strongly advised to backup any device prior to install a ZFDE policy especially if that device is located in an area that is know to have sporadic power outages. ZFDE will resume encryption following a device power cycle but it is better to have a backup in case of non-optimal circumstances.
Novell ZENworks Full Disk Encryption: Best Practice: