RU2571724C2 - System and method of full disk coding with check of loading disk compatibility - Google Patents

Abstract

FIELD: machine building.

SUBSTANCE: method of full disk coding with check of loading disk compatibility with polishing device, under which the PC loading is changed with use of the device for changes making on the disk to ensure starting of the device of pre-loading check of compatibility of the loading disk and coding device; the device of pre-loading check of compatibility is started, and tests are performed in relation to the compatibility of the loading disk and coding device; after tests completion using the analysis device the test results are compared with coding policy, and decision is made on the disk compatibility with full disk coding based on the comparison; using the coding device the full disk coding of the loading disk is performed if the decision is made on coding possibility.

EFFECT: assurance of compatibility of the loading disk and coding device.

12 cl, 4 dwg

Description

Technical field

The invention relates to solutions for ensuring the security, confidentiality and safety of information on computers, and more particularly to systems and methods of full disk encryption with checking the compatibility of the boot disk.

State of the art

Modern operating systems use a system of accounts and passwords to restrict access to data on a computer. This can be effective if the attacker has short-term access to the computer, but the accounts and passwords will not protect the data if the computer is stolen. There are ways (for example, connecting a hard drive to another computer or starting another operating system on a computer from an external drive) that will allow you to read data from the disk. Even deleted files can be recovered using software and hardware.

The risk of data loss during theft or seizure can be reduced by encrypting data on disk. This measure is important for mobile computers (laptops, tablets), which have the highest risk of being lost or stolen, but it can be useful to ensure the security and confidentiality of data stored on any computer or workstation.

Full Disk Encryption (FDE) is designed to protect data stored on a disk in cases where the computer is stolen or seized when it is turned off.

File encryption is encryption that applies only to specific files on a computer’s disk. It is easier and faster to apply, but it is more vulnerable. Files in encrypted form can be copied and decrypted later by brute force, programs that use encrypted files can save the decrypted files in the cache, the original file after encryption is deleted from the disk, but can be restored by means of recovering deleted files.

Hard disk passwords are a feature provided by disk manufacturers. Disk passwords do not encrypt data on the hard drive; they only prevent the disk from interacting with the computer until the password is entered. There are ways to remove passwords from disks, as well as ways to extract data using mechanical interventions in hard disks (replacing plates or ROM chips).

If the computer is mobile, contains a significant amount of important documents or any documents that may be considered as highly secret, it is better to use full-disk encryption. At present, there are also more and more threats to corporate networks, inside of which almost every computer contains data that should never, and under no circumstances, fall outside the corporate network.

There are many full disk encryption tools available. The most famous specialized software products: BitLocker, TrueCrypt, PGPDisk and others. Also, recently, a full-disk encryption tool has become part of popular anti-virus corporate solutions, for example, Kaspersky Endpoint Security DPE.

When performing full-disk encryption of boot disks, a pre-boot authentication tool is installed on the disk. This tool requires the user to enter a password; after the correct entry, the operating system (OS) is loaded.

Antivirus software products also have their own pre-boot authorization tools. When applying full-disk encryption to the boot disk, the anti-virus software changes the sequence of the boot process by integrating the pre-boot authorization tool into the normal boot process of the computer. This tool works at the pre-boot stage and uses the interfaces of the basic input / output system (BIOS) or the unified extensible microcode interface (English UEFI) to work with the computer hardware. The preloading stage is the stage at which the initialization of the microcode of the computer is completed, but the loading of the operating system (OS) has not yet begun.

At the preloading stage, interaction with computer hardware is possible only through microcode interfaces. The microcode has its own errors, limitations and problems regarding the hardware compatibility of devices. Therefore, the anti-virus software components that work at this stage may also have various compatibility issues. When a similar problem occurs, the computer may not start because the pre-boot authorization tool is used to start the OS from an encrypted disk, but is not compatible with the computer hardware. In the event of a non-start, it is necessary to carry out the process of fully recovering the computer to a boot state.

The very idea of full disk encryption, as well as the idea of using bootable media, is not new.

US 8,171,272 B1 describes the operation of a preload test tool for computer hardware. The pre-boot testing tool determines compatibility with the computer hardware, creates a report on the missing drivers for the pre-boot environment mode, and provides information to the user. In one implementation, the preload test tool may itself receive the missing drivers.

US Pat. No. 8,533,830 B1 describes the operation of a pre-boot testing tool, which confirms the correspondence of a computer hardware image to the current computer support at the pre-boot environment stage.

Currently, bootable tools are not used to test the compatibility of a boot disk with a tool that performs full disk encryption. This may be due to the fact that full-disk encryption tools are used relatively recently. Compatibility problems were detected extremely rarely, and since most of the problems could be solved by updating the microcode, so far there has been no need to perform a separate compatibility check of the boot disk with full-disk encryption.

SUMMARY OF THE INVENTION

The technical result of the present invention is to ensure the compatibility of the boot disk with encryption.

According to one embodiment, a full-disk encryption system is provided with checking the compatibility of the boot disk with the encryption tool, which comprises: means for making changes to the disk, which places the bootstrap tool for checking the compatibility of the disk with the encryption tool on the boot disk, modifies the boot process of the computer to ensure that the boot tool compatibility checks; pre-boot compatibility checker that performs boot disk compatibility tests with full-disk encryption; analysis tool that compares test results and encryption policies, decides whether encryption of the boot disk is possible; encryption tool that performs full disk encryption of the boot disk after the decision by the analysis tool about the possibility of encryption of the boot disk.

According to another particular embodiment, the pre-boot compatibility checker performs tests every time the computer is restarted.

According to another particular embodiment, the pre-boot compatibility checker does not run the tests again if the tests were successful during the previous restart of the computer.

According to yet another particular embodiment, the pre-boot compatibility checker works at the stage after the computer microcode is initialized and before the operating system starts.

According to yet another particular embodiment, the means of making changes to the disk works at the stage after loading the operating system.

According to another particular embodiment, the encryption tool operates at the stage after loading the operating system.

According to another particular embodiment, the analysis tool operates at the stage after the initialization of the microcode of the computer and before the launch of the operating system.

According to another particular embodiment, the analysis tool operates at the stage after loading the operating system.

According to another particular embodiment, the analysis tool runs on a network security management server.

According to one embodiment, a full-disk encryption method is proposed with checking the compatibility of the boot disk with the encryption tool, in which: changing the boot process of the computer using the means of making changes to the disk to ensure that the boot-up bootstrap tool is compatible with the encryption tool; run the pre-boot compatibility checker and test the compatibility of the boot disk with the encryption tool; after performing tests using the analysis tool, they compare the test results with encryption policies, make a decision on the compatibility of the drive with full disk encryption based on the comparison; full-disk encryption of the boot disk is performed using the encryption tool in the case of deciding on the possibility of encryption.

According to another particular embodiment, the comparison of test results with encryption policies is performed at the stage after the initialization of the microcode of the computer and before the launch of the operating system.

According to another particular embodiment, the comparison of test results with encryption policies is performed after loading the operating system.

According to another particular embodiment, the comparison of test results with encryption policies is performed by the network security management server.

Brief Description of the Drawings

Additional objectives, features and advantages of the present invention will be apparent from reading the following description of an embodiment of the invention with reference to the accompanying drawings, in which:

FIG. 1 depicts a system performing full disk disk encryption with pre-boot compatibility check;

FIG. 2 shows a process for encrypting a boot disk;

FIG. 3 represents an algorithm for verification conducted by a preload compatibility checker;

FIG. 4 is an example of a general purpose computer system on which the present invention may be implemented.

Description of Embodiments

The objects and features of the present invention, methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The essence described in the description is nothing more than the specific details provided to assist the specialist in the field of technology in a comprehensive understanding of the invention, and the present invention is defined only in the scope of the attached claims.

Pre-boot compatibility testing can reduce the risks associated with possible computer inoperability after performing full-disk encryption by testing all known causes of incompatibility before the boot disk is encrypted. A scan can also be initiated by the system administrator for an individual computer.

The implementation of the invention can use both BIOS and UEFI interfaces. The computer boot process can be changed both for disks that use the master boot record (MBR) and for disks that use a partition table with a globally unique identifier (GPT, eng. GUID partition table).

Any proposed implementation solution should work during pre-boot execution, so at least one restart of the computer is required during the testing process.

FIG. 1 depicts a system performing full-disk encryption of a boot disk with pre-boot compatibility check.

In the implementation of the system we can distinguish:

Change Tool on Disk 110:

- prepares the boot disk, placing on it a pre-boot compatibility checker 120;

- changes the boot process of the computer 130 to ensure the launch of pre-boot compatibility check tool 120;

- reboots the computer.

The preparation of boot disk 110 in the general case consists in allocating a continuous portion of memory on the disk, placing (for example, by copying) the pre-boot compatibility check tool 120, user authentication data (accounts, passwords, encryption keys used to decrypt data on the disk and operating system boot) and 160 encryption policies (conditions under which encryption of data on a boot disk can be performed or, conversely, cannot be performed, and which can be defined on pre-loading stage). Similar authentication placement operations are performed by full-disk encryption programs, such as TrueCrypt.

Changing the boot process generally consists in changing the master boot record, and a new boot record is created that refers to the hosted pre-boot compatibility check tool 120? and is copied to the zero sector of the boot disk 110. Similar operations to change the main boot record are performed, for example, by the installation programs of the operating systems.

120 Pre-Boot Compatibility Checker:

- performs pre-loading compatibility tests;

- Conducts an analysis of encryption policies at the preloading stage;

- performs loading OS 140;

In the general case, the compatibility tests of the boot disk 110 at the pre-boot stage, performed by the pre-boot compatibility check tool 120, are hardware tests of the compatibility of the hard disk with the hardware resources of the computer, as well as an analysis of the hardware state of the disk in relation to the encryption of data on this disk. A similar analysis is performed, for example, by the basic input-output system (BIOS). It is worth noting that in the case when, for example, the hard disk self-test tool (SMART) contains information that one of the attributes of the state of the hard disk is in a critical state, the basic input / output system will warn the user about the bad state of the hard disk, but will allow continue downloading. The pre-boot compatibility check tool 120 in one embodiment recognizes such a hard drive as incompatible with the encryption tool 170. In addition, if, for example, it is revealed that the computer’s hard drive is larger than 2 terabytes and the underlying input / output system does not support disk layout more than two terabytes (in this case, the use of the disk is possible, but only 2 terabytes of data on the disk are available to the user or less), the pre-boot compatibility check tool 120 also recognizes such a disk as incompatible with encryption tool 170.

In addition, in one embodiment, the test results contain general hardware information about the boot disk 110, which can then be used by the analysis tool 150.

An analysis of the encryption policies 160 consists in comparing the allowed and forbidden conditions with the actual state of the boot disk 110. So, for example, if the encryption policy prohibits encrypting data on boot disks that are a raid array (those disk characteristics that may not always be available for analysis after loading the operating system 140), and the analyzed disk does not meet these policies, the pre-boot compatibility check tool 120 recognizes such a disk as incompatible with the encryption tool 170.

Analysis Tool 150:

- receives test results from a pre-loading compatibility checker 120;

- uses 160 encryption policies;

- compares test results with encryption policies;

- makes a decision on the possibility of using full disk encryption.

In general, the analysis tool 150 conducts the analysis after loading the operating system 140. If the pre-boot compatibility checker 120 has previously recognized the boot disk 110 as incompatible with the encryption tool 170, data is not encrypted on the boot disk 110. The following is an analysis of 160 encryption policies and a comparison of the test results for the compliance of the boot disk 110 with these policies. So, for example, if the disk size exceeds 1 terabyte, and one of the policies contains a requirement that data on disks larger than 512 gigabytes is not encrypted, full disk encryption will not be applied to such a disk. If the computer is located on a network segment for which full-disk encryption is prohibited, full-disk encryption is also not applied.

A similar analysis of policies (for example, security policies) and their comparison of the operating conditions of a computing device (for example, a computer) can be carried out by the security policy manager (Eng. Local Security Policy or Server Security Policy Management) of the operating system.

Encryption Tool 170:

- gets a decision about the possibility of using full-disk encryption from the analysis tool 150;

- Encrypts boot disk 180.

If for some reason full-disk encryption cannot be performed on the computer that is part of the corporate network, the encryption tool can notify the network administrator that it is not possible to apply the encryption policy on this computer.

If the firmware of the corporate network computer is changed, the administrator may try to apply the encryption policy again.

In FIG. 2 shows the encryption process of a boot disk. At the initial stage 210, a pre-boot compatibility check module is placed on the disk, and the computer boot process is changed to ensure that the pre-boot compatibility check module starts. After this, the computer 220 restarts. The pre-boot compatibility check module performs all the necessary tests 230. Based on the test results and after comparing them with the encryption policies, a decision is made whether the boot disk 240 can be encrypted. It should be noted that the encryption policies can be compared with the test results as at the stage pre-boot execution 241, and after starting the operating system 242, as well as the network security management server 243. If a positive decision is made about encryption capabilities full disk encryption of boot disk 250 is performed.

Encryption policies may contain the following criteria when applied to a boot disk:

- disk size, for example, full disk encryption is applied to large disks for a long time;

- the number of logical partitions on the disk;

- disk layout contains MBR or not;

- disk layout contains GPT or not;

- the state of the disk according to the results of the self-diagnosis, for example, if the SMART (English self monitoring analysis and reporting technology) of the disk contains warnings, the disk may fail during encryption;

- media type: HDD (Eng. hard disk drive), SDD (Eng. solid state drive) or other, for example, the resource of solid-state drives is reduced when using full disk encryption;

- whether the disk is a RAID array;

- the operating system is on one disk;

- no need to restart the computer to install drivers or updates;

- file system of the system partition;

- the presence of errors on the logical drive;

- size of free disk space;

- the presence of shared network folders on the disk;

- write protection of the disk;

- the network segment in which the computer is located;

- computer users;

- computer type: laptop, workstation, server.

The implementation of the invention requires all necessary pre-loading tests to be carried out by means of pre-loading compatibility checks and to ensure that the results of these tests are made available to the analysis tool. It is also necessary to provide the ability to perform both mandatory verification before encryption and forced verification on demand (for example, a network administrator) without encryption.

Since the pre-boot compatibility checker works at the pre-boot stage and may not be compatible with the computer hardware, conditions may arise under which the computer cannot boot. In cases of such incompatibility, an automatic solution is needed to restore the computer to working condition, the ability to automatically return the operating system boot process to its initial state. It is worth noting that support for an external recovery tool is also necessary if the normal boot process of the operating system cannot be automatically restored by the pre-boot compatibility check tool.

In FIG. Figure 3 shows the verification algorithm performed by the pre-boot compatibility checker.

At the initial step 310, the computer with the modified boot process launches the pre-boot compatibility checker 330. Next, it checks whether the test load 340 was performed (it checks to see if the test boot flag is set). If it has not been executed, the test boot flag is set, the successful boot flag is reset (regardless of its current state), 350 compatibility tests are performed. After the tests are completed, the OS 360 tries to boot. If the computer boots successfully, the encryption flag sets the successful boot flag 370. If the test boot performed previously (the test boot flag is set), the pre-boot compatibility checker checks the successful boot flag at step 380. If it is, the pre-boot tool compatibility check in one of the possible implementations, loads the OS 360, in another embodiment, re-runs the tests of step 350. If the download was not successful (the successful boot flag is not set), then it is considered unsuccessful, the OS 385 boot process is restored and the OS is loaded under normal conditions 390. The encryption tool in this case determines in which mode the OS booted up and does not set the successful boot flag 395.

FIG. 4 is an example of a general purpose computer system, a personal computer or server 20 comprising a central processor 21, a system memory 22, and a system bus 23 that contains various system components, including memory associated with the central processor 21. The system bus 23 is implemented as any prior art bus structure comprising, in turn, a bus memory or a bus memory controller, a peripheral bus and a local bus that is capable of interacting with any other bus architecture. The system memory contains read-only memory (ROM) 24, random access memory (RAM) 25. The main input / output system (BIOS) 26 contains the basic procedures that ensure the transfer of information between the elements of the personal computer 20, for example, at the time of loading the operating system using ROM 24.

The personal computer 20 in turn contains a hard disk 27 for reading and writing data, a magnetic disk drive 28 for reading and writing to removable magnetic disks 29, and an optical drive 30 for reading and writing to removable optical disks 31, such as a CD-ROM, DVD -ROM and other optical information carriers. The hard disk 27, the magnetic disk drive 28, the optical drive 30 are connected to the system bus 23 through the interface of the hard disk 32, the interface of the magnetic disks 33 and the interface of the optical drive 34, respectively. Drives and associated computer storage media are non-volatile means of storing computer instructions, data structures, software modules and other data of a personal computer 20.

The present description discloses an implementation of a system that uses a hard disk 27, a removable magnetic disk 29, and a removable optical disk 31, but it should be understood that other types of computer storage media 56 that can store data in a form readable by a computer (solid state drives, flash memory cards, digital disks, random access memory (RAM), etc.) that are connected to the system bus 23 through the controller 55.

Computer 20 has a file system 36 where the recorded operating system 35 is stored, as well as additional software applications 37, other program modules 38, and program data 39. The user is able to enter commands and information into personal computer 20 via input devices (keyboard 40, keypad “ the mouse "42). Other input devices (not displayed) can be used: microphone, joystick, game console, scanner, etc. Such input devices are, as usual, connected to the computer system 20 via a serial port 46, which in turn is connected to the system bus, but can be connected in another way, for example, using a parallel port, a game port, or a universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface such as a video adapter 48. In addition to the monitor 47, the personal computer may be equipped with other peripheral output devices (not displayed), such as speakers, a printer, and the like.

The personal computer 20 is capable of operating in a networked environment, using a network connection with another or more remote computers 49. The remote computer (or computers) 49 are the same personal computers or servers that have most or all of the elements mentioned earlier in the description of the creature the personal computer 20 of FIG. 4. Other devices, such as routers, network stations, peer-to-peer devices, or other network nodes, may also be present on the computer network.

Network connections can form a local area network (LAN) 50 and a wide area network (WAN). Such networks are used in corporate computer networks, internal networks of companies and, as a rule, have access to the Internet. In LAN or WAN networks, the personal computer 20 is connected to the local area network 50 via a network adapter or network interface 51. When using the networks, the personal computer 20 may use a modem 54 or other means of providing communication with a global computer network such as the Internet. The modem 54, which is an internal or external device, is connected to the system bus 23 via the serial port 46. It should be clarified that the network connections are only exemplary and are not required to display the exact network configuration, i.e. in reality, there are other ways to establish a technical connection between one computer and another.

In conclusion, it should be noted that the information provided in the description are examples that do not limit the scope of the present invention defined by the claims. One skilled in the art will recognize that there may be other embodiments of the present invention consistent with the spirit and scope of the present invention.

Claims (12)

1. A full disk encryption system with a boot disk compatibility check with an encryption tool, which contains:
- a means of making changes to the disk, which places the bootstrap tool for checking the compatibility of the disk with the encryption tool on the boot disk, changes the boot process of the computer to ensure that the bootstrap compatibility tool starts;
- a pre-boot compatibility checker that performs boot disk compatibility tests with full-disk encryption;
- An analysis tool that compares test results and encryption policies, decides whether encryption of the boot disk is possible;
- an encryption tool that performs full-disk encryption of the boot disk after the decision by the analysis tool about the possibility of encryption of the boot disk. 2. The system of claim 1, wherein the pre-boot compatibility checker performs tests each time the computer is restarted. 3. The system of claim 1, wherein the pre-boot compatibility checker does not run the tests again if the tests were successful during a previous restart of the computer. 4. The system according to claim 1, in which the pre-boot compatibility checker works at the stage after the initialization of the microcode of the computer and before the launch of the operating system. 5. The system according to claim 1, in which the means of making changes to the disk works at the stage after loading the operating system. 6. The system according to claim 1, in which the analysis tool operates at the stage after the initialization of the microcode of the computer and before the launch of the operating system. 7. The system according to claim 1, in which the analysis tool operates at the stage after loading the operating system. 8. The system of claim 1, wherein the analysis tool runs on a network security management server. 9. The method of full disk encryption with checking the compatibility of the boot disk with an encryption tool, in which:
- change the boot process of the computer using the means of making changes to the disk to ensure the launch tool pre-boot check the compatibility of the boot disk with encryption;
- run the pre-boot compatibility checker and conduct boot disk compatibility tests with the encryption tool;
- after performing the tests using the analysis tool, they compare the test results with the encryption policies, make a decision on the compatibility of the drive with full disk encryption based on the comparison;
- perform full-disk encryption of the boot disk using the encryption tool in the case of deciding on the possibility of encryption. 10. The method according to claim 9, in which the comparison of the test results with encryption policies is performed at the stage after the initialization of the microcode of the computer and before the launch of the operating system. 11. The method according to claim 9, in which the comparison of the test results with encryption policies is performed after loading the operating system. 12. The method according to claim 9, in which a comparison of the test results with encryption policies is performed on the network security management server.

Images