Show TOC

Background documentationData Storage Security for Laptops Locate this document in the navigation structure

 

By stealing hard drives, criminals can access internal company data that can then be used to damage that company or to provide themselves with a competitive advantage. To combat the threat of unauthorized access to information, data on local hard drives is encrypted. If, as a user, you want to view your plain text data on the hard drive, you must first enter a password to decrypt them. Any person attempting unauthorized access without this password only sees indecipherable binary data.

Bear in mind the following aspects of encryption:

  • Manageability

    When using encryption, you must always ensure good administration of the encryption keys used. Depending on the product, this implies additional planning, management, and administration.

  • Encryption technology

  • Usability

  • Loss of performance

    When you access encrypted data, the application decrypts the data and then encrypts it again when it is changed. The loss in performance depends on the solution used and the implementation scenario. If the encryption is implemented with hardware support, then performance loss is less than it is for a fully software-based solution.

  • Emergency guidelines for application errors caused by the user or by hardware problems

    You provide encryption for individual users. Therefore, in situations of data recovery, it must not be impossible to access company data. For example, these procedures are also relevant if users delete the encryption key or if hardware problems prevent encryption for normal operation. The corresponding emergency mechanisms, procedures, and guidelines must therefore be available, planned, and implemented.

  • Saving encrypted data

    You must decide whether to save data in encrypted or unencrypted form. If you save in encrypted form, you must also ensure that the corresponding encryption keys are also saved so that you can decrypt the data again.

    Recommendation Recommendation

    We recommend that you encrypt the hard disk because any kind of encryption is better than none at all. However, you should consider which mechanism for encrypting the hard disk best meets your application areas and requirements.

    End of the recommendation.

There are several options for data encryption in the mobile client context. They have the following properties:

  • Encryption either at operating system level or at a lower level

    For example, Microsoft Windows provide the Encrypting File System (EFS) feature for Windows 2000 and higher. This option can be used.

  • Encryption either for individual files or for all data

    The following solutions are currently available:

    • Encrypting the hard drive

      • Software-based encryption

      • Hardware-based encryption

    • Encrypting the virtual hard drive

Encryption of Hard Drives

Software-Based Encryption

Encrypting the entire hard drive of the laptop protects all its data equally. Once installed, the booting of the laptop starts encryption software, before the operating system. A password (used for decrypting and encrypting data again) must be entered before decrypting all the hard drive data. This means that if the hard drive is stolen and accessed with a disk editor, the attacker only accesses the encrypted data rather than the plain text data.

This process can also be used in the mobile client scenario because all the relevant data would also be covered by the encryption. In scenarios in which several people are sharing a single client device, make sure that the product used can also be operated for several users. Hard drive encryption products provide a Public Key Infrastructure (PKI) that enables access to the encrypted disk (that is, access to the computers protected with the product) through users and groups. The PKI must then be installed and managed. Compared with file encryption and virtual drive encryption, hard drive encryption provides general, all-round protection for all saved data. However, they place somewhat increased organizational and technical demands. Encryption problems always affect the entire computer because the operating system is also encrypted.

Hardware-Based Encryption

Besides fully software-based hard drive encryption, hardware can also be used to support encryption mechanisms. There are two main types of hardware support:

  • Encryption of data using special hardware

  • Hardware used to store the encryption keys

Only the first type is likely to provide improved performance because the second type still uses software to encrypt the data. Whether hardware encryption actually provides better performance than software encryption depends to a large extent on the technology used. If you are using a high-performance encryption chip that is well-integrated with the computer hardware (high level of data throughput), then you should experience minimal loss in performance.

Procedures that simply store the encryption key or user identities on separate hardware (for example, smart card or USB token) provide increased system access security because you need hardware and the password to access the system. This means that if the hardware is lost, then the computer can no longer be accessed. Of course, this is also true in the event of encryption-related problems. You therefore need to plan and execute emergency mechanisms and procedures. These must also be supported by the encryption product. You must also operate and manage a product-specific PKI.

Advantages of this solution

  • Depending on the implementation, better performance than for software-based encryption

  • Depending on the implementation, greater security because physical possession of the hardware is required (keys/identities saved on the hardware)

  • Entire data on the hard drive is protected equally

  • Security independent of operating system and its configuration

  • The entire operating system (including the swap files) is encrypted

Disadvantages of this solution

  • Installation of additional software required

  • Installation of additional hardware required

  • License costs for encryption product

  • Depending on the product, hibernation mode is or is not supported

  • Increased technical and organizational demands

  • A separate PKI must be installed, depending on the product

  • When encryption-related problems occur, the computer can no longer be used

  • Performance depends on the product to a great extent

Encryption of Virtual Hard Drives

Unlike encryption of individual files, this solution allows encryption of all data that has been copied onto a virtual hard drive. The virtual hard drive is represented by a file saved in your file system, which can be connected as a separate drive using a special driver. The advantage of this solution is that all the data on the virtual hard drive is always encrypted.

Encryption of virtual hard drives allows you to encrypt the entire file hierarchy on the virtual hard drive. To do this, the correct software must be installed. The encrypted, virtual hard drive is represented by a file in the computer's normal file system, and the file contents are encrypted. When the file is connected as a drive, you have to enter a password, which is then used to encrypt and decrypt the data when the virtual drive is accessed.

In the mobile client scenario, the database files could be stored on an encrypted virtual hard drive. Depending on the product, the encrypted virtual hard drive is either connected automatically when the user logs on or it must be activated manually. The encrypted virtual drive can also be used to save other sensitive data.

One advantage of this solution is that security of the encrypted data relies exclusively on the encryption software and the quality of the selected encryption password. Attackers cannot view the plain text data even if they succeed in getting past the operating system's access protection.

When selecting a product, make sure that the encryption product can also encrypt a virtual hard drive for more than one user. This is important because the database may be accessed by several users (depending on the scenario). Access rights to the file that implements the virtual hard drive must be configured so that it can be accessed by all authorized users.

An encryption product provides key generation and administration features. Depending on the range of functions, the product is also provided with its own PKI, which must be installed and managed accordingly. Before or during initial operation, the keys must therefore be created either by the users themselves or by an administrator. Administration and backup of the keys must therefore be planned.

When using encrypted virtual hard drives, it is not possible to encrypt the swap file (disk space set aside for virtual memory) or the hibernation file (suspend to disk). The operating system also cannot be installed on an encrypted virtual hard drive. Like file encryption, any encryption-related problems only affect the applications that access data saved on the encrypted virtual hard drive. The remaining computer functions are not affected.

Advantages of this solution

  • Software solution, no additional hardware required

  • Data security independent of the operating system configuration

  • Data on the virtual hard drive is always encrypted

  • No access to plain text data even after the operating system has been compromised

  • Encryption problems only affect applications that access encrypted data

Disadvantages of this solution

  • Installation of additional software required

  • License costs for encryption software

  • Files must be saved explicitly to the encrypted virtual drive

  • Depending on the mobile client scenario, the product must support encryption for several users

  • Key generation and administration (for example, backup) must be planned separately

  • A separate PKI must be used, depending on the product

  • Memory images are not protected

  • The operating system is not encrypted

  • You may be forced to accept lower performance than for hardware-based encryption

Run the client on insecure mode

To enable the encryption of the local DB password, the com.sap.tc.mobile.cfs.security.advancedCfsSecurity parameter is set to true by default.

However, while debugging an application you would need to have access to the local DB password. In this case, you need to set this parameter to false. On synchronization, the local DB password is changed to the initial DB password that would have been provided during installation of the client. You can access the contents of the database when the client is run in the insecure mode.

To ensure that the contents of your database are secure, you would need to switch back to the secure mode by changing the parameter to true.