Learn why at rest encryption doesn’t mean encryption when your laptop
There are many steps you can take to harden a computer, and a common
recommendation you’ll see in hardening guides is to enable disk encryption.
Disk encryption also often is referred to as “at rest encryption”, especially
in security compliance guides, and many compliance regimes, such as PCI, mandate
the use of at rest encryption. This term refers to the fact that data is
encrypted “at rest” or when the disk is unmounted and not in use. At rest
encryption can be an important part of system-hardening, yet many
administrators who enable it, whether on workstations or servers, may end up
with a false sense of security if they don’t understand not only what disk
encryption protects you from, but also, and more important, what it doesn’t.
What Disk Encryption Does
In the context of Linux servers and workstations, disk encryption generally
means you are using a system such as LUKS to encrypt either the entire root
partition or only a particularly sensitive mountpoint. For instance, some
Linux distributions offer the option of leaving the root partition
unencrypted, and they encrypt each user’s /home directories independently, to
be unlocked when the user logs in. In the case of servers, you might leave
root unencrypted and add encryption only to specific disks that contain
sensitive data (like database files).
In a workstation, you notice when a system is encrypted at rest because it
will prompt you for a passphrase to unlock the disk at boot time. Servers
typically are a bit trickier, because usually administrators prefer that a server
come back up after a reboot without manual intervention. Although some servers
may provide a console-based prompt to unlock the disk at boot time,
administrators are more likely to have configured LUKS so that the key resides
on a separate unencrypted partition. Or, the server may retrieve the
key from the network using their configuration management or a centralized
secrets management tool like Vault, so there is less of a risk of the key
being stolen by an attacker with access to the filesystem.
The main thing that at rest encryption protects you from is data loss due to
theft or improper decommissioning of hard drives. If someone steals your
laptop while it’s powered off, your data will be protected. If someone goes
into a data center and physically removes drives from a server with at rest
encryption in place, the drives will spin down, and the data on them will be
encrypted. The same goes for disks in a server that has been retired.
Administrators are supposed to perform secure wiping or full disk destruction
procedures to remove sensitive data from drives before disposal, but if
the administrator was lazy, disk encryption can help ensure that the data is still
protected if it gets into the wrong hands.