After having run WinMagic with the main focus as a data encryption company for more than 20 years, I asked our team for the first time last week the very basic question: When – and where – should sensitive data be encrypted?
The answers are eye opening for me.
Ideally, sensitive data should always be encrypted except when it is being processed*, e.g. used by an application, which requires plaintext data.
With expertise in disk encryption we determined that data should be only decrypted in RAM memory for the CPU to work on; our disk encryption encrypts the data before it is written to the disk. But with advancements in memory encryption, the RAM can actually be always encrypted, with data being decrypted only within the CPU. That’s perfect! Well, almost.
The answer to “WHERE sensitive data should be in plaintext?” is within the (secure) CPU. With advanced technology like AMD’s Secure Encrypted Virtualization SEV the CPU will no longer has the memory encryption key for the RAM of the Virtual Machine (VM) as soon as the CPU exits the VM. So, the answer for “WHEN”: the shorts periods of time when the CPU is actually processing the workload otherwise sensitive data should always be encrypted. Read more...
