Full Drive Encryption: Don’t Lose Access to Your Failed Drive
Updated 7/22/2015
As a data recovery laboratory, we experience full drive encryption from a different vantage point.
The encrypted data we work with usually is owned by the businesses and people who come to us seeking data recovery. They are trying to get their files back from a failed drive. The encryption – which may have been in place due to regulations, security concerns, or simply by default – now is a potential barrier that could lock them out forever.
In fact, many Solid State Drives come self-encrypting out of the box now, with many consumers clueless that their drive is encrypted.
From this perspective, we have a some general thoughts for the encryption industry and, based on the various encryption techniques we’ve seen, one specific recommendation for the consumer.
First off, full drive encryption really works. Without the proper keys, the information stays incomprehensible through very complex and effective encryption algorithms. In terms of writing encryption software, the various leading producers of encryption software have succeeded in their main goal. And it’s not normal to write software with an eye on hardware failure. Software is written with the reasonable assumption that it will be carried out by hardware able to execute its commands. You don’t write a recipe for cake without assuming the cook has a working oven.
But given that about five percent of hard drives fail every year (with great variability depending on work load and drive model), it’s worth thinking about what ability there is to retrieve extremely valuable data once a storage device fails. We believe the encryption industry should look at how its products affect the chance of an owner recovering encrypted data. It’s worth considering, for example, where the keys are kept and what happens if various sectors on an encrypted disc can no longer be read.
A few bad sector clusters on an unencrypted hard drive, for example, are no big deal for a data recovery laboratory — even if it involves the master file table definition. But a couple dead sectors on an encrypted drive can mean a complete inability to recover anything, depending on their location and the method of full drive encryption.
Without getting into an extremely long and technical discussion of how various methods of encryption affect data recovery, we do think it would be worthwhile to share one specific recommendation to businesses and others looking for a robust encryption method that does not make data recovery more difficult for the authorized user.
While there are some methods of encryption we’ve found less likely to pose an obstacle to data recovery than others, Safeboot is clearly the best. Safeboot encrypts its data in a way that never poses an obstacle to data recovery. If you use Safeboot and you haven’t lost your encryption key, recovering data from a failed drive depends on the normal factors for any other data recovery.
Having said that, Safeboot seems to be used by enterprises more than by home users. When it comes to personal computers, there’s not an ideal option for recovery, but BitLocker by Windows has thus far proved the easiest option for us to work with.
We offer this observation to give consumers another factor to consider when choosing an encryption service, as well as to provide some insight on encryption based on experiences from a data recovery laboratory.