Key Management and Full Disk Encryption (FDE)

Before I delve into key management for FDE, I want to clarify that the ideal FDE architecture has two main components. The actual encryption component is a separate layer from the key management. The encryption can be done by the OS (e.g. BitLocker for Windows or FileVault2 for Mac), by Self-Encrypting Drives (SEDs) or by ISVs such as WinMagic’s FIP140-2 validated software cryptographic engine. Pick whichever encryption engine best fits your organizations’ needs and then manage the encryption engine(s). That brings us to the actual key management.

According to Wikipedia

Key management is the management of cryptographic keys in a cryptosystem. This includes dealing with the generation, exchange, storage, use, and replacement of keys. It includes cryptographic protocol design, key servers, user procedures, and other relevant protocols.

Key management concerns keys at the user level, either between users or systems.

When it comes to key management for FDE the key management
system has two sub-components:

  1. Pre-Boot Authentication (PBA) where the keys or credentials required for decrypting or unlocking the drive are revealed only after authentication. The user could be authenticated locally with single or multifactor authentication.Alternatively the device could utilize pre-boot networking (PBN) to communicate with a central key manager or Active Directory to authenticate, enforce policy and possibly obtain the keys required to unlock or decrypt the local drive.  “Enforce policy” could range from sending the device the credentials or keys to automatically unlock without user intervention to sending a kill pill to the device and triggering a crypto erase. More typically if the policy was set to allow the particular user access, the central key manager would send the credentials or keys required to decrypt or unlock the drive protected by the user’s password or smart card. User authentication would then occur locally.
  2. Central storage and distribution of keys or credentials for managing access and recovery. An OS present agent may communicate post boot with the central key manager to report status and get policy updates and keys. For example, once booted the OS present agent could receive instructions and data to add or remove PBA users. In a less typical use case, the central key manager could send a kill pill to trigger a crypto erase.

It is important to note that in the ideal solution, the key management will be consistent across managed platforms and OS’s. The end user should get the same experience when performing PBA for BitLocker as they would for a SED.  This includes the ability to utilize tokens or passwords or have the same customized corporate branded PBA login screen.

On the Key Manager side, the administer should be able to set and enforce policies relatively independent of the actual encryption engine on the end point. This includes provisioning of user access or helping users recover from lost passwords. A common central console for all encrypted end points, especially if the encryptions engines vary, greatly simplifies administration and keeps the total cost of ownership (TCO) low.

Previous Post
Is Encryption Dead?
Next Post
2014 the year of Cyberwar

Related Posts


Is Encryption Dead?

I’ve been asked a couple of times in the nearby past by partners, customers and prospects that encryption would not be secure for millions of years as always being stated. Instead of this it would be possible to “break” encryption…

What kind of encryption is best for you?

There are plenty of ways to secure data and all have pretty acronyms: Full Disk Encryption (FDE), File and Folder Encryption (FFE), Removable Media Encryption (RME) and so on. These three are the ‘meat’ of any good encryption solution. The…
Read more

“Extracting BitLocker keys from a TPM”

(Pre-Boot Authentication: Wisdom in Security – Part 3) In my September 2018 blog “Pre-Boot Authentication. Wisdom in Security Part 2”  I concluded that: “Bottom Line: ‘No PBA’ is not a wise choice for enterprises Microsoft’s reasoning that you don’t need…

The Dark Side of Encryption

I know it’s very tedious these days to use a Star Wars metaphor, but as everyone’s doing it so will I. Encryption techniques have been used for some time to secure communications and protect personal or intellectual property. (more…)

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.