encryption protection against lost password

Question

Here is a plan I am thinking about. I haven't seen this proposed, so I thought I would ask about it.

Threat we are guarding against:
A lost or stolen laptop leading to exposure of sensitive information.

Project Description:

Developing a desktop client app to allow traveling users to collect data when not connected to network. It is sensitive data and needs to be encrypted at rest. Obviously, key to encryption cannot be stored in client anywhere, so I will use a password based key generation to encrypt the data. Password hash stored in client. This is on laptops that we do not control, so we can't enforce whole-disk encryption.

This is fine until the user forgets their password or another user takes over the job or the user changes their password. Administrator needs a way to rescue encrypted data. So, proposal is to save a copy of the data encrypted using a public key generated by the administrator, who holds the associated private key. This copy is saved either per transaction or when the user ends the session.

Questions:

1. Is there a flaw in this approach?
2. Has this been solved another way?

Similar to: Encrypting user data using password and forgot my password

Except that that is about a web application and a public-private key pair is not suggested.

Update: This is a Java client (using Java Web Start) on Windows.

Answer 1

I think you don't need to keep an entire second copy of the data. That seems difficult. Also, you want to try to avoid bulk public-key encryption. It's slow. Instead of keeping a second copy of the data, you can keep a second copy of the key.

Create a random symmetric key F that you use to encrypt the files. Encrypt this key with a key derived from the user's password and store the encrypted F on the disk. Store a copy of F in a secure store somewhere that admins can access it. You should encrypt F using some admin-specific key to keep F secure while in transit and at rest.

Answer 2

You say "This is on laptops that we do not control, so we can't enforce whole-disk encryption." Then your problem of keeping the data you want encrypted will be more difficult. You'll essentially have to create an encrypted container and regulate access to it rather than being able to just encrypt everything stored on disk.

Can you prevent users from moving files from the container to the normal unencrypted drive, or removable storage? Can a user open a file from the encrypted container and save it elsewhere? Can a user copy text, or save a screenshot, from a file on the encrypted container to a new file on the unencrypted partition?

You'll have all these opportunities for the data you want protected to leak out if the user decides they'd rather not deal with the hassle of encryption. Depending on what type of data you want to protect, this may not be the right approach. If you can mitigate these chances of data leaking then this might be acceptable.

You also mention using passwords as encryption keys. What you probably should do instead is use a password (or password derived key) to unlock the actual container encryption key. That way a password change only requires the old password and new password to re-encrypt the key rather than all the encrypted data.

This also allows you to more easily support key escrow where a copy of this container encryption key is decryptable with the admin's private key or password. Try to avoid creating multiple copies of encrypted data, which can be slow and takes up more space, and save multiple copies of the key instead.

Finally, I hope this is more of an academic discussion and not something you plan to develop from scratch. Implementing effective encryption is not something that can usually be done successfully as a beginner.