1. While PGP was not mentioned in the "Lest We Remember: Cold Boot Attacks on Encryption Keys." paper published February 21st, we have now had a chance to review the paper; though this is primarily a hardware attack, PGP's WDE functionality could be as vulnerable as any other vendor's full disk encryption products.
2. PGP counsels all its customers that security should be assessed at many levels and on a continuum that includes looking at:
- device security - products like PGP Whole Disk Encryption (WDE)
- data security - products like PGP Desktop Email, PGP Virtual Disk, PGP NetShare
- network security - traditional firewalls, VPNs, etc.
- physical security - not leaving machines unattended, accessible to others, etc.
3. Many of our customers use PGP WDE along with other PGP products (PGP Desktop Email, PGP NetShare, etc...). For those customers who are ONLY using PGP WDE it is important to understand that should an attacker gain access to your computer a minute or two after shutdown, they could obtain your keys. It takes one or two minutes for the data in memory to finally fade. Bottom line, if you shut down or hibernate (NOT SUSPEND) your machine, youre fine after a minute or two has passed.
a. steps that customers can take now are:
- Use a vendor's WDE product, and make sure your machine is fully powered down or hibernated when not in use.
- Be sure that you are using the PGP Zip and PGP Virtual Disk functionality which is included in the PGP WDE product today these are two additional layers of security available to PGP WDE users.
- Protect the data. Making certain that information of value is protected is critical, whether that is through email traffic or data in files. Products like PGP Desktop Email and PGP NetShare are ideal companions to PGP WDE.
b. best practices that customers should always be employing:
- As maintenance releases of security products become available, we recommend customers always deploy the latest versions of their security software, whether from PGP or other vendors.
4. We also want our customers to know that we have reached out to the publishers of this report to see how they can help us and how we can further protect against this type of attack in our WDE product.
5. PGP Corporation is willing to work with any hardware manufacturer who makes CPUs, chipsets, or DRAM to construct ways to solve the issue at its root. This is an attack on the hardware itself, and consequently, a complete solution must come from hardware. Software solutions can make the situation better, but cannot completely correct this.