Whole Disk Encryption For Vista?

Q7U writes "After reading about several laptop thefts and losses, my boss wants me to set up whole disk encryption for her Vista travel laptop. After doing some research, it seems she has three options: Bitlocker (part of Vista Ultimate), PGP Whole Disk Encryption, and TrueCrypt. My main problem now is choosing one. I can't find any comparitive reviews of these products to determine which will be the best choice, so I was hoping the Slashdot crowd could suggest which product they would go with and tell us what they liked about their choice."

No Comparisons?

[toleraen]

You could always, you know, type it into Google.

Re:No Comparisons?

[petermgreen]

wikipedia prefers "verifiability" over truth so I would be very suspicious of any comparison articles of thiers.

Re:Why whole disk?

[compro01]

Which assumes she has access to an adequately fast connection. 14.4k dial up + multi-meg files = not getting anything done.

Re:If it's business, enterprise or ultimate

[Joe+U]

I recommend TrueCrypt for the average home user, but Bitlocker's AD integration makes it a no-brainer for a Windows network. If you don't have a TPM laptop, then you can use a thumb drive. The Bitlocker certificate is just a text file on the thumb drive. Just keep the thumb drive and the laptop away from eachother when not booting, losing both together doesn't offer any protection.

many options available

[groffg]

Many options are available in addition to the 3 you've mentioned. The "best" choice depends on many factors, such as scalability, cost, and risk. TrueCrypt is free, but really isn't ready for enterprise use. As someone mentioned already, hardware-based FDE (like Seagate's Momentus drive) may very well be the most secure, but requires additional hardware acquisition and a time investment. BitLocker is an option, but requires upgrading to Enterprise or Ultimate (which can be done in-place, without a significant time investment, if I'm not mistaken).

Many other software-based products are out there, such as (off the top of my head) PGP WDE, Secude, WinMagic/SecureDoc, etc. The best option for your boss and your organization depends on multiple factors, factors that Slashdot readers are not privy to.

Re:Why whole disk?

[Nos.]

Just truecrypt the saved data.

Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?

Data Recovery is most important!!!

[rtechie]

When evaluating these products it's very important to remember that while one of your laptops MIGHT get stolen, MANY of your users WILL forget the password for their laptop and WILL get locked out. So key recovery is BY FAR the most important feature of these products. This really can't be stressed enough.

Which is why I'll tentatively recommend Bitlocker, since it's got the best data recovery capabilities (keys are automatically backed up to the AD server, etc.).

Re:My company went with truecrypt

[the_flyswatter]

Now if we can just figure out how to prevent them from keeping the password written on a sticky note.

This is exactly why we need two-factor authentication for the encryption to be secure. If the password is too complex/long, it will be written down. If it's too easy/short, the password can be brute forced.

And they WILL write the password down.

Re:My company went with truecrypt

[Shihar]

Asking people to memorize a random 10 character password is pretty much futile. You make brute force attack harder, sure, but you just made social engineering attacks trivial. What is better, a user whose password is jesussaves1 or the user whose password is Dj7lasJ82k, but has it written on a piece of paper in his desk drawer? One requires a lucky guess or a detectable brute force attack, while the other just requires a janitor to open the desk drawer and copy the password.

People in security get to obsessed over the unlikely attacks (brute forcing or guessing a 6 letters + character and capital password) and utterly ignore it when they make social attacks trivial (minimum wage janitor paid to open the desk drawer and copy the password and name of the person who owns the office).

Ask your users to do something stupid and inconvenient, and they are going to respond by doing something stupid and convenient.

Re:Only one really secure option

[this+great+guy]

Nope. Whether the solution is software or hardware is absolutely irrevelant to the security of the cryptographic routines. Plus, the fact is that virtually all hardware products are proprietary and lack the peer-reviews that open standards or open source software enjoy. Just ask any decent cryptographer whether she would trust a black box (storage device with built-in encryption, proprietary "secure" protocol, etc), or peer-reviewed, open, standard solutions (TLS/SSL, IPsec, TrueCrypt, etc). BTW I look forward to the IEEE P1619 project coming up with a final standard.

Just look up the numerous stories about USB keys with built-in encryption that have been cracked for example.

Re:Why whole disk?

Wow, it amazes me that people are so quick to be dicks to each other. What the fuck is wrong with the world? Couldn't you have said the same thing but without the venom? Oh yeah, fuck you.