When and where should sensitive data be encrypted? The revealing answers might surprise you!

WinMagicLogo

After having run WinMagic with the main focus as a data encryption company for more than 20 years, I asked our team for the first time last week the very basic question: When – and where – should sensitive data be encrypted?

The answers are eye opening for me.

Ideally, sensitive data should always be encrypted except when it is being processed*, e.g. used by an application, which requires plaintext data.

With expertise in disk encryption we determined that data should be only decrypted in RAM memory for the CPU to work on; our disk encryption encrypts the data before it is written to the disk. But with advancements in memory encryption, the RAM can actually be always encrypted, with data being decrypted only within the CPU. That’s perfect! Well, almost.

The answer to “WHERE sensitive data should be in plaintext?” is within the (secure) CPU. With advanced technology like AMD’s Secure Encrypted Virtualization SEV the CPU will no longer has the memory encryption key for the RAM of the Virtual Machine (VM) as soon as the CPU exits the VM. So, the answer for “WHEN”: the shorts periods of time when the CPU is actually processing the workload otherwise sensitive data should always be encrypted. Read more...

ectacom HQ München

ectacom GmbH
+49 8102 8952-0
Friedrich-Bergius-Str. 12
D-85662 Hohenbrunn

ectacom Wien

ectacom GmbH
Am Europlatz 2
A-1120 Wien

ectacom Linz

ectacom GmbH
Ennser Straße 83
A-4407 Steyr-Dietach

ectacom Poland

ectacom Polska sp.z.o.o:
+48 501 295 580
ul. Dominikańska 21 B
02-738 Warszawa