0

The organisation I work for has laptops outfitted with FDE-drives, i.e. drives that encrypt data on the fly such that in the case of a stolen laptop, no data can be retrieved by removing the HDD. While this protects us against malicious outsiders, evil employees can still switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves.

In short, what would solve this problem is having (a part of) the encryption key saved in the BIOS, such that another computer would be unable to decrypt the drive. Is there a way to do this, or, how do other organisations deal with this security risk?

Improve this question
4
  • "switch the drive to a computer that they own (and of which they control the BIOS), and enable root/administrator privileges in the OS for themselves" Are you sure this is possible to do? Why could a thief Not do the same thing as the evil employee?
    – Moab
    Commented Sep 16, 2012 at 16:47
  • Moab: Thief is unable to decrypt the disk. Employee knows passphrase to unlock his drive.
    – pberlijn
    Commented Sep 17, 2012 at 13:30
  • Why does the evil employee have passphrase to someone else's drive?
    – Moab
    Commented Sep 17, 2012 at 15:00
  • He has the passphrase to his own drive. The drive which holds the OS that he is not allowed root privileges on (with a number of reasons).
    – pberlijn
    Commented Sep 17, 2012 at 22:03

1 Answer 1

Reset to default
2

I think you should be looking at TPM (Trusted Platform Module) solutions. They are built into majority of professional laptop lines.

This article mentions the solution explicit - Disk encryption:

A limited number of disk encryption solutions have support for TPM. These implementations can wrap the decryption key using the TPM, thus tying the hard disk drive (HDD) to a particular device. If the HDD is removed from that particular device and placed in another, the decryption process will fail

Improve this answer
2
  • 1
    Better than the answer I was just writing. :) OP: Make sure you (or your IT) has some way to get at the data on the drives OR make sure there is no essential local data on the laptop at all. Motherboards do die and then your own security gets in your way.
    – Hennes
    Commented Sep 16, 2012 at 13:34
  • +1 this is one of the things tpm was designed to help with. Just remember, the bad guys cant get your data without that motherboard working...and neither can the good guys! Make sure you have a way to recover the data when (not if, when) something goes wrong.
    – Grant
    Commented Sep 16, 2012 at 13:49

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .