All of the components associated with managing the Whole Disk Encryption (WDE) infrastructure should be classified as a High Value Asset (HVA). The backend assets contain the components involved for protecting the encryption and decryption keys that are used to encrypt hard drives. Treating the backend components of the Disk encryption environment as HVA, will ensure that the cryptographic keys are protected through a layered approach to securing the environment. This of course assumes you are architecting your security environment around various layers and are classifying certain assets as HVA’s and others at lower classifications.
Here some basic principles to ensure you are following when designing your WDE:
- Recovery tools to recover a dead machine by putting the hard drive in a different machines.
- Enforce Progressive password policy or use enterprise credential store.
- Whole disk encryption by volume or sector. File based encryption is not acceptable.
- Central management of keys.
- Central management of machine and user policy.
- Unlock as a known user before logging into the desktop.
- Prove that the machine was logged into/unlocked by a specific user.
- Machine is secure & encrypted until unlocked by an approved user.
- Disabled users cannot unlock the machine.
Consult the NIST document 800-111: Guide to Storage Encryption Technologies for End User Devices for more information.