The encrypted data plugin tech-preview was released at San Francisco Synergy earlier this month. David Wagner recently wrote an introduction; his post focused on the business aspects. The post that follows provides a technology introduction and a high level vision to how things work.
Some description of the early history provides a pretty good introduction to the project. Citrix is a leading proponent of Bring Your Own Computer and while I am not a BYOC participant, my corporate notebook computer is highly tweaked to my personal needs including having the corporate image formatted clean off the machine and … not being on the corporate domain. I used to be on the domain, but I haven’t been for the last couple years.
The official company configuration for notebooks calls for whole-drive encryption of the hard disk using SafeBoot. I’ve never exactly done this though I did use BitLocker for a while on a personal (not-work) computer. It worked fine.
Back to me
For years, I’ve run with a bit of an … adjustment to the whole-disk requirement, using two volumes. The C: volume holds the operating system and installed applications and the D: volume holds “data”. The C: drive is not encrypted and the D: data partition is encrypted. I’ve used a variety of encryption tools for the data partition including PGPDisk, TrueCrypt and DiskCryptor to define the D: drive. The OS volume is never encrypted and the D: volume is mounted as a function of starting up the C: system disk (startup folder).
With this in place, life is simple, pretty secure and it’s easy to recover from device drivers gone wrong on the system disk. With the advent of Windows Vista and Win 7, things got even easier. Using directory to directory reparse points, the “important” C: activity can be redirected from “in the clear” C: drive to the encrypted D: drive without the application requiring reconfiguration. In the below, look at the SYMLINKDs.
The result is that Microsoft Outlook and Onenote can be used without tweaking directory location settings in the application and the applications will access all of the important data from the encrypted space. This is important for me because I reinstall the system and applications a lot and grow quickly tired of changing these settings in the applications every few days.
Operating System on C: and Data encrypted on D:
Is this secure?
A security focused person will note, and they have officially noted, that my system swapfile is still on drive C: and since drive C: is not encrypted, this provides a place for information to leak into the C: partition. My “My Documents” space is also still on drive C: and this isn’t secured either and if I stored stuff there or anywhere on C:, this also will not be encrypted. You can go down the list for cookies and browser history and a number of other things I store in the clear like batch files and utility programs.
Yes, there is stuff on C: that is in the clear and anyone stealing my notebook can get to it.
All of those C: things are information that … I don’t care about.
The fundamental thing is that the system volumes (“C” get formatted and reinstalled all the time. DATA is permanent! By putting all of the data in one place, I have a single thing to back up and with it encrypted, it’s … secured. Security wise, this is not as good as whole drive encryption, but it’s sufficient for my needs.
My adversary, my usual adversary, is not digging through the swapfile to find the stuff that is on my encrypted drive, it just isn’t worth the effort and there is nothing there that important to start with. If my adversary gets more aggressive or if my data gets more magical, whole disk would be appropriate.
The point: This system configuration OFFICIALLY does not meet Citrix company spec and it especially didn’t meet spec before the BYOC program was put in place All notebooks shall be whole disk encrypted!
So, I got a call from Mark Templeton. Yes, the CEO. Wow! Violate a few official IT policies and the company chair gets word and calls you to his office! Turns out this wasn’t a call to the carpet thing though technically his office is carpeted; he wanted a show and tell of my normal config. This half corporate, half personal thing is exactly what the Dr. ordered for Bring Your Own Computer.
Employees will buy computers and those computers will have the operating system already installed. It won’t be encrypted and then the user is going to want to bring this not-whole-disk-encrypted system to the office!
Build a means to have the company stuff protected and you’ve got something of high value for BYOC!
I left the room with instructions to go forth and productize. Project “moonlight” was born!
A side thing on the meeting is that while we were talking, Mark was personally installing a half dozen netbooks and installing Citrix Receiver, Dazzle and a bunch of other Citrix software and appeared to be having a good time doing it. Really, we can put him to work in programming and test circles if this CEO thing ever gets tired.
Keeping things separate
When discussing BYOC, there’s a separation of “Corporate Apps” and “Personal Apps”. The company cares about the data for the corporate applications and very officially does not care about the data for the personal applications. Given the user has both, how do you “help them” to make it easy to do the right thing?
How do you KILL the data if the user leaves the machine at the TSA checking line at the airport?
In my pre-moonlight world, it’s simple, the Data (all of it is corporate) goes on drive D:. The Operating System and Applications go on C:. I’m a Citrix Product Architect and am certifiably good at typing “D:” and knowing that this means the space for encrypted corporate data. I’m also good at avoiding storing anything important to C:. We ASSUME that the average BYOC user isn’t all that deliberate about where the data goes and here, they need a bit of assistance to make sure things land in the right place.
I’m also the Architect of Application Streaming at Citrix and with this, I can control how applications work on a computer – well, I can heavily influence what happens to a STREAMED application on a computer even if it is a BYOC computer. On the domain, off the domain, we can absolutely filter every thing that a streamed app does and make dag gone sure that it never writes to a space it isn’t permitted. We can get into a long definition of “permitted”, but stick with me as we get it started.
In my talks with Mark and showing off reparse points and similar configuration he asked if it would be possible to restrict access to the encrypted data to ONLY “Corporate Applications”? Absolutely!!!
What’s a “corporate application”?
- Citrix Application Streaming
- Microsoft App-V
- Citrix Client Drive Mapping from hosted sessions
Can we write code so that only corporate applications can see the encrypted space and also write code so that corporate applications for the most part cannot store stuff to the non-encrypted space? Sure! Can you also prevent NON-Corporate apps from accessing the encrypted volume? Definately!
Done right, we don’t even have to modify App-V, App Streaming or the ICA client. File system filter drivers are just what is needed and as convenience would have it, we have a whole bunch of experience writing those.
In a follow up post, I’ll provide a big-picture diagram of the major blocks of the encrypted data plugin. For now, know that it pulls together
- Citrix Receiver and Merchandising Server
- Volume based encryption
- Process identification of “corporate” applications
- Policies of who can write to where enforced with file system filters
- Mission impossible self-destructs when the data gets old.
- Central services to implement kill pills and password recovery
Parts 1-4 are present in the tech preview and some interim code exists heading us toward web accessible “5” and “6”. This is a fun project; getting paid to work on things I’ve hacked on for years.
You can download the encrypted data plugin technical preview from http://mycitrix.com/, downloads, Citrix Receiver.
Product Architect – Application Streaming, Profile Manager and the Encrypted Data Plug-in