At the end of December, Elcomsoft reported that it has developed a forensic tool that can decrypt disk drives encrypted with Symantec’s PGP, Microsoft’s BitLocker, and open-source TrueCrypt.  This tool could change how corporations protect their data and – perhaps more important to those corporations – they may again be liable for fines when laptops are lost or stolen.  To be precise, no one has broken the encryption algorithms themselves.  Rather, Elcomsoft has found a hole in their implementation.

Elcomsoft Forensic Disk Decryptor has many legitimate uses: law enforcement agencies may be stymied by their inability to access data on an encrypted drive; corporations may have trouble accessing terminated employees’ hard drives; and there are outlier cases, such as the archivist who followed good security practice but unfortunately died without having written down or told anyone his password.  The product clearly can be used for the good.  And the price is right: $299 per copy.

But the probability that it will be used only for forensic purposes is negligible.  PGP is the bedrock of corporate data security programs, including many utilities.  Data thieves in possession of the software may be able to bypass that corporate protection.  Has that encryption now become irrelevant?

Corporations often require that laptops have encrypted hard drives.  This is to avoid the severe penalties for compromising personal data – even when due to a criminal act such as theft of a laptop.  Many jurisdictions require the company to pay for restitution and protection of those who are affected.  This could include a year’s worth of credit monitoring for each person, or stiff fines if medical data is compromised.  Some laws prescribe prison for executives of the company that loses the data.  In the worst case, laptops with sensitive data from defense agencies have been stolen, with national security implications.

Some of these thefts appear to have been targeted.  Stealing a laptop from a rental car may be much easier than breaking into an enterprise IT system.  Full disk drive encryption is the first line of defense against such threats, because laws often waive corrective action and fines if the hard drive is fully encrypted.  Unfortunately encryption may be the only line of defense at some organizations.

Elcomsoft’s product may undermine that defense, rendering ineffective some expensive encryption deployments.  Rolling out full-disk encryption to a large organization is an incredibly complex and time-consuming process.  Not only the technology, but also the change management is challenging.  If the encryption is now shown to be ineffective, then the penalties for data compromise may return – even for fully encrypted laptops.  With or without the menace of fines, the threat to data confidentiality and integrity increases as well.

Effective security practices could have reduced this scenario from potential disaster to annoyance.   A defense-in-depth approach would supplement full-disk encryption with other measures such as digital rights management, which can protect data even after it has been stolen and exported.  However, after an expensive and complicated rollout of full-disk encryption, few companies have an appetite for the next step.

But now they may.