Slashdot Mirror
Open Source Removable Media Encryption?
An anonymous reader asks: "I'm trying to find a solution for encrypting removable media connected to my network's computers. Ideally, the solution would: allow Enterprise deployment and configuration in a Windows XP environment; be free and open source; not require administrative privileges to use (encrypt/decrypt files and media); and allow decryption via freely available and platform-independent methods on the destination machine. I've looked at PointSec for Removable Media, but it requires Windows on both ends. I've also looked at TrueCrypt, but it doesn't appear to limit encryption to only removable media (I don't want users encrypting their hard drives). Slashdot, can you help me?"
It shouldn't be that hard to add a check to make sure it only encrypts removable media.
Please, for the good of Humanity, vote Obama.
http://glosoli.blogspot.com/2005/09/encrypted-thum b-drive-and-autoplay.html
work off that its good
Oh, I don't know. It makes sense. You can now "borrow" data, encrypt it to keep if free from inspection, and then be able to decrypt on your box, so that you can play with things.
I prefer the "u" in honour as it seems to be missing these days.
Truecrypt can do exactly what you want. From here
After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any TrueCrypt volume, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in 'traveller' mode.
Exactly what you want... when running TrueCrypt in normal user mode, no one will be able to encrypt the hard drive or anything else.
If it doesn't exist, write it yourself! I recommend you get a copy of Applied Cryptography, and implement 3DES using inner-CBC mode. Oh, also be sure to use lots of ASN.1 encoding everywhere.
Signed,
NOT The Government
http://outcampaign.org/
Isn't all media encryption removable these days?
;)
What? Oh, sorry... misparse.
Use hardware encryption on the removable media. You're talking probably USB-sticks anyhow, so use one with fingerprints or (multi-platform) pin codes.
;-)
Or did you mean: Cheap enterprise solution?
Challenger thumbdrive encryption, not checked it out in depth but works for me for those "OMG what if I lost this thumdrive" moments.
o c_short_manual.html
http://www.encryption-software.de/challenger/en/d
"Don't belong. Never join. Think for yourself. Peace." V.Stone, Microsoft Corporation
This question comes up every few months here, and as far as I can tell TrueCrypt is really the only solution that even approaches what you and almost everyone else here is looking for. First off it's open source (check), it's under active development unlike many other encryption projects (check), it's already partially cross-platform (semi-check) with plans for a Mac OS X version, and it's the only free, open source encryption software to have a decent GUI, as far as I can tell.
If you have the backing of a real enterprise organization what you need to do is donate some time and/or money to the TrueCrypt project so that you can get the features you want. At this point there is really only one thing holding TrueCrypt back from becoming as ubiquitous as Firefox, which is that it hasn't yet been ported to Mac OS X and its GUI hasn't been ported to Linux yet. Feature-wise it will do just about exactly what you want, but the project needs resources and programmers to help make it totally cross-platform.
The day that there is a stable GUI version that runs on OS X, Windows and Linux is the day that you and the rest of us will FINALLY have a solution to cross-platform encryption needs. It will also be the ONLY cross-platform solution available, if current trends continue. Believe me, I have LOOKED, and looked hard, and there is NOTHING on the market that isn't either Windows-dependent on both ends (as you've seen) or some half-assed clunky little command-line program only suitable for statically encrypting and decrypting files (google bcrypt and ccrypt, cross-platform but useless except to a few geeks). TrueCrypt mounts the encrypted file or drive as a drive letter and lets you transparently work with the files without ever writing them to disk in an unencrypted format. Regular users aren't going to accept anything less than TrueCrypt's already proven ease of use.
Seriously, I can't emphasize this enough. TrueCrypt is your (our) only hope. They are Obi-Wan Kenobi. It's so close to what we all want, and nothing else even compares. Go ahead, keep looking. You won't find anything. If you have some resources behind you, as in money or programmers, aim them square at the TrueCrypt project and get things moving to get it completely cross-platform. The world will thank you and your enterprise needs will be met by free, open source software that will never die or cost you $100 per seat per year. Isn't that worth a little initial investment?
The problem with encrypting removable media is a little bit shakey. I'm assuming you want the to encrypt it so they can bring the information home with them. If they aren't bringing it home, you're probably better leaving the data on the computer/network to keep it more secure. However, once they bring it home, and type in the decryption key, any spyware on their home computer is free to read the data just as the user would be free to read the data. Smart spyware would probably actively look for encrypted partitions (although I don't know of any that does), because it's more likely that there is confidential and important information there. Encrypting the media will give you lots of protection if the data happens to go lost, but won't protect you once the user plugs it into a foriegn computer and types the password. You also need the software on every computer, so if you're bringing a presentation on an encrypted drive to a client's office, they need to have the software to read it. Also, remants of the files can be left on the computer in the swap partition, which can be read later if the swap partition isn't encrypted, which is the case with most windows, as well as Linux setups (althought it's quite easy to encrypt your Linux swap partition)
On a side note, I don't think you have to worry too much about the users encrypting their hard drive if you use truecrypt, because as far as i'm aware, you have to unmount and format the volume in order to encrypt it. I don't think that regular users have that privilege, and I'm not even sure if it's possible with admin privileges, if they only have 1 partition. You can't unmount C: when you only have C:. Same reason why Format C: will not work at the command prompt.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Users will -always- be able to create file-based encrypted partitions (loopback filesystems) using 3rd party software, no matter what -you- use. The way to go is to use truecrypt, then deal with these through company policy and control; you can't prohibit it technically, you must prohibit it legally. Control, deal with violators through disciplinary means.
Anagram("United States of America") == "Dine out, taste a Mac, fries"
This constraint is a real bitch, just because it's so arbitrary. If you're really insistent on this, you're probably going to need something specifically customized for you.
It's sort of like, "I need a great spreadsheet program, but I don't want it to be possible for the users to enter the number 4 into odd-numbered columns."
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Our VP has a thumbdrive with all this built in. It includes XP partitioning software on a separate, non-removeable partition that handles all the encryption, decryption, access rights, formatting and partitioning. It requires no drivers other than those for USB mass storage, and even somehow manages to automatically prompt you if you haven't already set up security on the device (you can have a secure partition and a "public" partition, or just one of either). No extra software needed, and you can do this without admin rights.
However, it is not OSS and it is Windows only, so YMMV. Unfortunately, I don't have the name of the product, but you can probably find it on amazon.
CastrTroy raises some very good points: my first thought when I read this thread was "key logger".
Which raises the issue of key management: if you haven't already done so, check out the standard methods of key management. (Easy mechanism - hire an ex-spook or ex-comsec person for "advice"). Wikipedia has some links - see http://en.wikipedia.org/wiki/Key_management
If you really want to help, dial in additional factors (RSA's little dongle is an example.)
You really want to do this in the context of risk management: how much you want to spend depends on the probability and cost of any loss.
-- Butlerian Jihad NOW!