Enterprise Encryption for Linux: Improve Manageability & Compliance

In this remote and hybrid work environment characterized by cloud computing and mobility, encryption for Linux endpoints such as laptops and mobile devices has never been more important for the enterprise. Despite the fact that Linux has built in encryption, enterprises still struggle with encryption on Linux devices due to a lack of management and compliance capabilities available in their current solution sets. Luckily, solutions for the enterprise that address these critical Linux endpoint security challenges do exist.

To gain insight into how businesses can fortify a modern Linux infosec architecture with a robust endpoint security strategy, we spoke with industry-leading Linux endpoint encryption provider WinMagic about the challenges of securing today’s Linux endpoints, the importance of centralized management and compliance in enterprise Linux encryption, and how WinMagic SecureDoc for Linux strengthens Linux endpoint security with comprehensive full disk encryption.

Looking for further information on how to manage encrypted Linux devices across the organization? Thought leaders Garry McCracken CISSP, VP of Tech and CISO, WinMagic, and Dave Wreski, Linux Security expert and CEO, Guardian Digital, hosted a webinar on Enterprise Linux Encryption Management where they discussed how organizations can address Linux encryption management challenges, along with compliance and centralized key management issues related to enterprise encryption. Access the full video here.

Linux Endpoint Encryption Is Critically Important for a Robust Cybersecurity Posture in 2022 & Beyond

Cyber risk has never been greater, and is a reality that organizations can no longer afford to ignore. Malware incidents rose 358% in 2020, and 1 in 5 Americans experienced a ransomware attack that year. Linux endpoints are often seen as more secure than their Windows counterparts, but the belief that Linux is safe from malware and other cyberattacks is a dangerous misconception. While Linux is generally regarded as a highly secure OS, it has become an increasingly popular attack target in recent years due to its growing user base and the high-value systems and devices it powers worldwide. As a result, organizations need to protect Linux endpoints with identical robust security mechanisms they use for other device types. In this modern era characterized by increased mobility and heightened digital risk, organizations must find new ways to protect their systems and their information.

Overview of Disk Encryption Capabilities Built into Linux

Linux has built-in encryption capabilities, yet enterprises still struggle with encryption on Linux endpoints. To understand why this is the case and what can be done to overcome this challenge, let’s first review the disk encryption capabilities that are built into Linux.

dm-crypt

dm-crypt is a transparent disk encryption subsystem within the Linux kernel. It is a block device based abstraction that can be inserted on top of other block devices, like disks. dm-crypt is therefore an ideal technology to be used for FDE (Full Disk Encryption). The actual encryption is not built into dm-crypt, but rather it utilizes cryptographic routines (e.g.  AES)  from the kernel’s Crypto API.

LUKS

LUKS (Linux Unified Key Setup) is a disk encryption specification that details a platform-independent standard on-disk format for use in various tools (i.e. a standard encryption header), which provides the basis for implementing password management. LUKS operates on Linux and is based on an enhanced version of cryptsetup that uses dm-crypt as the disk encryption backend.

What Do Enterprises Need Beyond dm-crypt & LUKS for Data-at-Rest Protection for Linux?

Together, dm-crypt and LUKS form the basis for a simple “standalone” password authenticated FDE application; this, however, is not an enterprise grade solution. WinMagic research highlights that enterprises have additional needs for their data-at-rest protection for Linux, which are not satisfied by dm-crypt and LUKs alone.

Centralized Management & IT Security Compliance View of Encrypted Devices

Robust encryption is essential to securing sensitive data and ensuring IT security compliance, or the process of monitoring and assessing systems, devices, and networks to ensure they comply with regulatory requirements, as well as industry and local cybersecurity standards. For instance, all confidential data might need to be encrypted to protect intellectual property, or help comply with industry regulations like PCIDSS, or even prevent having to contact all your customers to tell them that their data is breached. 

California Senate Bill 1386 was one of the first of many U.S. and international security breach notification laws requiring notification when unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The key word here is “unencrypted”. If a company can prove the device was encrypted and protected with authentication at the time it was stolen, then no breach notification is required. Since they no longer have the PC, they need a key management system that contains proof that the system was encrypted at the time it was stolen and configured to require authentication. Thus, centralized key management is crucial for ensuring compliance and protecting privacy.   It can be used to create groups with the company that have or don’t have access to data on devices.

Organizations desire the ability to go to a console to see if a Linux laptop in their organization is encrypted and compliant with their encryption policy. When enterprises implement WinMagic SecureDoc for Linux, each laptop communicates its encryption status (for all disks) to the central console on a configured time interval. Therefore, if a laptop goes missing, the IT department has proof of its encryption state for the auditors.

Enterprises also prioritize centralized management for all OSes from a single console, because they dread deploying a different management solution for each OS type. Overall password recovery, operations and management of the encrypted devices from a central console is also essential. The console should be able to provide central backup of the encryption keys and recovery information.

Support for a Zero Trust Linux Infosec Strategy

Zero Trust, which deems all network traffic as untrusted, is one of the more popular security models organizations adopt to deal with emerging threats, but most enterprises are not implementing it to its fullest extent, resulting in unnecessary information security risk. The U.S. Government recognizes the importance of encryption as part of an effective Zero Trust cybersecurity strategy, and a memorandum directs agencies to use encryption to protect data at rest.  

Implementing Zero Trust recommendations can be challenging, and could potentially lead to a decrease in work productivity during encryption and increased costs associated with ongoing administration. Luckily there are comprehensive encryption  solutions like SecureDoc for Linux that organizations can implement to easily meet Zero Trust requirements without sacrificing productivity or cost-efficiency. 

SecureDoc for Linux tackles the challenges associated with implementing Zero Trust recommendations head on by allowing initial live conversion of disk permitting admins and users to log in and work on the machine while encryption occurs. SecureDoc also reduces IT management costs by enabling a pre-boot network-based authentication as an additional security measure to ensure data on drives is never left unprotected during boot-up. In addition, SecureDoc provides damage control for lost or stolen devices by removing keys to ensure data cannot be accessed even with the right credentials.

Pre-Boot Authentication with Active Directory (AD) Credentials

Businesses desire the ability to use an AD username and password to authenticate at pre-boot. That is, they seek to actually have an AD server participate in the pre-boot authentication by utilizing pre-boot networking. WinMagic SecureDoc for Linux provides this critical capability, which is a significant improvement over native Linux implementation that requires having a pre-boot password and sometimes a different password for each volume on the system, etc., and doesn’t support AD.

Root Volume Encryption, Initial Online Encryption & Crypto-Erasing a Compromised Device

Root volume encryption, data volume encryption and encrypting swap partition are all needed by the enterprises; however, protecting the root volume with Linux native FDE is generally quite convoluted, thus necessitating an improved mechanism. 

Initial online encryption is also a high priority among organizations. By implementing SecureDoc for Linux, businesses acquire the ability to encrypt pre-installed Linux laptops without having to back-up data up, wipe the disk and re-install Linux with encryption enabled.

SecureDoc also provides a simple mechanism to cryptographically erase all data when a device is compromised, or is to be repurposed. This operation should also be recorded for compliance reasons.

WinMagic SecureDoc for Linux: Defense-in-Depth Enterprise Encryption for Linux Endpoints 

SecureDoc for Linux offers scalable enterprise-class full drive encryption for Linux endpoints. SecureDoc separates encryption into two components - encryption and key management. Because the expertise to deliver these two components is different, SecureDoc for Linux works seamlessly with Linux native encryption, layering on top of dm-crypt to better manage and unify encryption efforts across the enterprise and device platforms. SecureDoc also supports Smart Card based MFA at pre-boot (e.g., PIV cards). For many agency systems, PIV (including Derived PIV10) will be the simplest way to support phishing-resistant MFA requirements, and OMB Memorandum M- 19-17 requires agencies to use PIV credentials as the “primary” means of authentication to Federal information systems. 

Garry McCracken, WinMagic VP of Technology and CISO, elaborates, “Linux has had built-in encryption for endpoints for several years now. Yet, many enterprises struggle with encryption on Linux endpoints such as reinstallation of the operating system before commencing on encryption, and some solutions only providing encryption for Windows devices. Our SecureDoc for Linux solution builds on the capabilities available in Linux (such as dm-crypt), providing an overarching layer of manageability, visibility, and automation that scales at an enterprise level and facilitates compliance.”

Some of the core features of SecureDoc for Linux include:

• Live disk conversion allows admins and users to log in and work on the machine while encryption occurs.
• Removes the need to clear the disk and reinstall the operating system before commencing encryption
• Encryption statuses are monitored and available centrally in a single pane of glass admin portal.
• SecureDoc enables pre-boot network-based authentication as an additional security measure to ensure data on drives is never left unprotected during boot-up.
• Supports Smart Card based MFA at pre-boot (e.g., PIV cards)
• SD Linux makes it easy for AD and Azure AD users to log into encrypted devices.
• Login to encrypted devices without having to be pre-provisioned for access on the device.
• SecureDoc Enterprise Server provides a simple central management for all OS endpoints, including Linux, Windows, and Mac.

With these key features of WinMagic SecureDoc for Linux, organizations can support an integrated Zero Trust strategy that fortifies their information security architecture for Linux endpoints.

Final Thoughts

In 2022 and moving forward, securing Linux endpoints in an information security architecture has never been more crucial - and more challenging - for the enterprise. Centralized management, IT security compliance, and a Zero Trust strategy are characteristics that organizations should prioritize in an endpoint encryption solution. SecureDoc for Linux is a solution we love for businesses looking to meet Zero Trust requirements and enhance built-in Linux disk encryption capabilities with scalable, multi-layered endpoint encryption.