Slashdot Mirror
Whole Disk Encryption For Vista?
Q7U writes "After reading about several laptop thefts and losses, my boss wants me to set up whole disk encryption for her Vista travel laptop. After doing some research, it seems she has three options: Bitlocker (part of Vista Ultimate), PGP Whole Disk Encryption, and TrueCrypt. My main problem now is choosing one. I can't find any comparitive reviews of these products to determine which will be the best choice, so I was hoping the Slashdot crowd could suggest which product they would go with and tell us what they liked about their choice."
You could always, you know, type it into Google.
There's a fourth option: SafeBoot. I recently got the basic Administrator training for the product, and it is very nice. Integrates well with enterprise directory services like AD and LDAP, for central deployment of configs, uses decent well-documented standard crypto algorithms and key exchange protocols, and is very transparent in use. All that you see of the encryption is a password entry on boot, everything else is completely transparent.
Mart
"I know I will be modded down for this": where's the option '-1, Asking for it'?
Hardware based encryption - have IT put in an FDE Drive. While software based encryption options are good, and most certainly better than nothing, the only really secure way to go is Hardware based.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
Didn't you hear? They found the laptop in the same locked room where they thought it was missing from. So there's really nothing to worry about.
then Bitlocker will work fine. Otherwise you won't have it.
In fact, on a active directory, you can configure bitlocker for your entire network to automatically encrypt volumes and backup the TPM recovery information to the Active Directory if you so desire - http://technet.microsoft.com/en-us/library/cc766015.aspx
Other than that, TrueCrypt works just as well for standalone machines.
throw new NoSignatureException();
Hibernation would leave stuff that is in memory open to inspection.
They offer total 256bit AES disk encryption with DriveCrypt Plus Pack. It requires pre-boot authetication before you can do anything. It also comes with stronger container encryption, like 1344bit triple blowfish.
... do nothing and wait till your boss forgets about it or decides it doesn't need doing.
I've been happy with Truecrypt. It is easy to use and the performance impact seems to be not that bad. I just make sure to never use sleep mode or anything like that. Just power off and on anytime I use it. I also setup my windows login to automatically log me in. I got tired of typing in one password and waiting for the next password. I figure if someone is good enough to break my truecrypt password then my windows password wouldn't stand a chance, especially if they had decrypted the data.
:wq
Which assumes she has access to an adequately fast connection. 14.4k dial up + multi-meg files = not getting anything done.
upon the advice of my lawyer, i have no sig at this time
If the Laptop has a TPM chip (many Lenovo Systems do and some Dell's I beleive) Go with something that takes advantage of that hardware. Bitlocker and PGP support it. I'm not too sure about Truecrypt.
Also, if the Hard drive and laptop supports setting a password (Almost all modern drives do. Most laptops do as well) Set a password. Especially if the Drive itself supports native encryption. This adds an extra layer of protection over software Data encryption. Also keep in mind that Native Hard drive encryption is OS agnostic and is usually faster and better overall than many software encryption packages.
Although keep in mind that every protection layer adds more complexity and reduces speed. This is especially true when it comes to data recovery. Make sure your boss understands that if something happens to the laptop, especially Hard Drive damage, The Data on the drive should be considered unsalvagable. Keeping a backup in a secure location (Say a Safe in the Main office also encrypted) is a very good idea.
In Soviet Russia, Trojan exploits YOU!
Many options are available in addition to the 3 you've mentioned. The "best" choice depends on many factors, such as scalability, cost, and risk. TrueCrypt is free, but really isn't ready for enterprise use. As someone mentioned already, hardware-based FDE (like Seagate's Momentus drive) may very well be the most secure, but requires additional hardware acquisition and a time investment. BitLocker is an option, but requires upgrading to Enterprise or Ultimate (which can be done in-place, without a significant time investment, if I'm not mistaken).
Many other software-based products are out there, such as (off the top of my head) PGP WDE, Secude, WinMagic/SecureDoc, etc. The best option for your boss and your organization depends on multiple factors, factors that Slashdot readers are not privy to.
In the last decade? Try in the last week. I regularly deal with people with that kind of connection (often CDPD with a high-gain antenna). Far north conservation officers, for example.
upon the advice of my lawyer, i have no sig at this time
Does she even fly at all?
Customs, at least, has been known to demand the keys to a laptop, and having it obviously encrypted could delay travel significantly.
Also, there are significant problems with at least some FDE products, currently -- the "cold boot" cracks, in particular. Does she shut her laptop down every time, or only leave it on standby? Does the software actually purge the key from RAM on shutdown?
Other than that, well, do your own damned homework.
I'd suggest BitLocker, mostly because it's built-in -- kind of like, "What would you suggest for unzipping files in Windows XP?" Well, probably the "Compressed Folder" feature, right?
Under other circumstances, I'd recommend Truecrypt or dm_crypt, because you really should be using open source software for anything sensitive -- but you specifically asked for Vista, so that's fairly moot.
But I haven't done my homework.
Don't thank God, thank a doctor!
I use all three, PGP Whole Disk Encryption on one machine, TrueCrypt on another, and one server has a TPM, so it, and its RAID arrays are BitLocker protected.
Each addresses slightly different security concerns. If you want to encrypt your disk with a password, and that's all you need, any of these will do the trick. If you want a hardware cryptographic token, so a thief can't obtain your encryption key by brute force, go with PGP Whole Disk Encryption, or BitLocker that supports a TPM with PIN functionality.
BitLocker is probably the easiest to implement, as you just install it, run software to check and partition the root disk. Then, save the recovery key on a USB flash drive (well away from the laptop). You can also save the recovery key on a TrueCrypt volume too. Once Bitlocker is enabled, the security of the machine will be the user passwords (especially any user with Administrator rights.) Make sure you have a decently long (16 characters, preferably more than 20) password to log on with. If you use BitLocker with a PIN and the TPM, you can get away with shorter user passwords if you hibernate or shut down.
Disadvantage of BitLocker -- Requires a TPM for decently secure functionality. TPM enabled laptops are rare, and desktops are rarer still, unless you explicitly buy a motherboard with one, or a "corporate" desktop.
TrueCrypt is a very good solution. It is licensed at no charge (donations are recommended), and is very secure. However, its intended for a single user machine. Using multiple passwords with it is kludgy at best. However for a single user, its very secure once enabled, and you burn a TC recovery CD.
PGP Whole Disk Encryption is the most versatile. It can use a TPM, USB flash drive, smart card, eToken, or none of the above, and use multiple ones in a list to authenticate for a hard disk to work. For example, my laptop has an eToken for hardware security, but as an emergency, I have a very long recovery passphrase if the eToken gets lost or someone locks it by too many guesses. Another example is a friend of mine who has a TPM on his laptop, but if that fails for some reason, he has two eToken keys as backup. PGP Whole Disk has a very good reputation, and is by far best solution for a business IT environment.
You can't go wrong with any of the three listed.
Just truecrypt the saved data.
Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?
I have useful experience with three products.
SecureDoc from WinMagic is the software solution we use at my big TLA. As administration headaches go, this one isn't so bad. The recovery processes are workable but not (that I can see) hackable by any thief. The way we have it set up, users get 15 shots at screwing up their machine before IT has to get involved, thus allowing most bozos to eventually get it right while not giving infinite opportunites to thieves. It's administrable over the network (in some ways) and, thus, suitable for big organizations.
At home, I still have one Windows machine and it's secured with PGP. I've never used it in a big networked environment so I can't comment on how easy it is to administer. It has one feature that I think is neat, though. You can hit TAB before typing in your passphrase and it will be displayed in clear text. (Normally your pass isn't echoed on screen.) Scoff if you will but on those bad days when I've had little sleep and am, perhaps, a bit hung over, my 59-character passphrase can sometimes be just one hurdle too far. Seeing the text on-screen can be a big help for those times when my head just isn't in the game.
Finally, hardware encryption is better. When my Windows machine was my primary (I now am almost entirely migrated to an Ubuntu installation that I installed from the alternate CD, enabling full disk encryption from the beginning) computer, I relied happily on Flagstone drives. I still have one of their USB Freedom drives for backups. The login schtick is more severe; you get few chances and your data goes bye-bye if you screw up. However, I like the fact that they are a real product, not vaporware like some of the encrypted drives from major manufacturers. You can call them up, give them a credit card number, and actually get the hardware. If you talk to the home office in England, you'll converse with smart, helpful, courteous people. All in all, they're a joy to deal with. Downsides? Prices are high and capacities low, but that's part of the deal when it comes to certified hardware such as they sell. Truly irritating downsides? The documentation, unless they've revised it recently, is not all that it should be. Still, I don't hesitate to recommend them.
Riiiiiiiiight. Because your solution works really well on airplanes, client-sites w/o internet access, or anywhere else where network access may not be available.
Good job on coming up with novel solutions to difficult problems. Are you in middle-management by chance?
At least WinVista and WinXP users have several full disk encryption options, including the opensource TrueCrypt.
But Mac users are out of luck, since no opensource full disk encryption exists for the MacOSX. Neither TrueCrypt or Apple's FileVault support full disk encryption on MacOSX. The only option is the closed source Check Point Full Disk Encryption product.
But if it is not opensource, then I personally would not trust it not to have back doors, especially since multinational corporations left-right-and-center have been falling all over themselves to help the US and other governments spy on the general population.
When evaluating these products it's very important to remember that while one of your laptops MIGHT get stolen, MANY of your users WILL forget the password for their laptop and WILL get locked out. So key recovery is BY FAR the most important feature of these products. This really can't be stressed enough.
Which is why I'll tentatively recommend Bitlocker, since it's got the best data recovery capabilities (keys are automatically backed up to the AD server, etc.).
Now if we can just figure out how to prevent them from keeping the password written on a sticky note.
This is exactly why we need two-factor authentication for the encryption to be secure. If the password is too complex/long, it will be written down. If it's too easy/short, the password can be brute forced.
And they WILL write the password down.
http://it.slashdot.org/article.pl?sid=08/07/30/204241&from=rss Just reading that would make me gravitate towards PGP or TrueCrypt.
Fear the penguin.
Asking people to memorize a random 10 character password is pretty much futile. You make brute force attack harder, sure, but you just made social engineering attacks trivial. What is better, a user whose password is jesussaves1 or the user whose password is Dj7lasJ82k, but has it written on a piece of paper in his desk drawer? One requires a lucky guess or a detectable brute force attack, while the other just requires a janitor to open the desk drawer and copy the password.
People in security get to obsessed over the unlikely attacks (brute forcing or guessing a 6 letters + character and capital password) and utterly ignore it when they make social attacks trivial (minimum wage janitor paid to open the desk drawer and copy the password and name of the person who owns the office).
Ask your users to do something stupid and inconvenient, and they are going to respond by doing something stupid and convenient.
Potassium Hydroxide?! The goal is to encrypt the disk, not destroy it!
...the future crusty old bastards are already drinking the Kool-Aid.
Actually the password generator I wrote makes 'speakable' password. These tend to be much easier to remember. so instead of 7yg$rt0 you get something like qB3r7! (ie qbert! short for the sake of the conversation).
We do allow them to set their own password if the really throw a fit, but it has to conform to our password policy (min 8 characters mixed). We figure that is enough security for us.
We did a testing rollout with our IT department first and then picked our worst users for a second test. Once we were sure they had no issues, we rolled out to everyone. If truecrypt supported usb key + password authentication for full disk encryption we would probably implement that on our 'high risk' systems.
Most of our systems are not high risk, they contain no 'dangerous' information such as student information. We decided to encrypt everything simply to get all of our users used to the idea of full disk and usb stick (all usb sticks are also to use truecrypt) encryption. We want to engrain this into the culture so that when someone does have a job where sensitive data might be transported on a notebook (say our CFO) they are already used to the idea.
I had the opportunity to deploy Pointsec on the site I was managing. It went really good, with only minor issues with 2 laptops (out of 20+ computers). They were resolved quite easily and without any loss of data. And BTW I never had any issues with their VPN client either :-) .
Wow, it amazes me that people are so quick to be dicks to each other. What the fuck is wrong with the world? Couldn't you have said the same thing but without the venom? Oh yeah, fuck you.
There really are folks stuck on connections that slow or even slower.
Conventional GSM dialup for example is only 9.6kbps. Sure there is HSCSD and GRPS but I don't think they are universally supported.
and I don't think I've ever seen a 56K dialup connection. In my experiance called 56K modems connect at fourty something at best and on crappy lines much much slower.
And of course there are people stuck with no connection (or no affordable connection) at all.
note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
Vista Bitlocker is good, but has some issues, as it uses Windows authentication, and not pre-boot. Its two-factor system is kinda weak. If you're a small business worried primarily about casual theft, it's a good solution.
TrueCrypt has pre-boot authentication, which is much more secure. But its encryption implementation is not necessarily FIPS certified, and to my knowledge the system doesn't have common criteria certification. For a business user, the ability to recover a key/password is minimal... so use with caution.
PGP/SafeBoot/Pointsec/WinMagic are all commercial FDE applications that work well, but have specific features that matter moer to some people. PGP is nice because its universal server can provide other services like email encryption as well. SafeBoot has robust management, particularly if you are a McAffee AV customer. Pointsec was the only solution that allowed you to force pre-boot authentication after hibernating the PC. They also have a (very expensive) small business option that doesn't require a server. WinMagic has excellent smart-card integration, and integrates well with PKI solutions.
Conformity is the jailer of freedom and enemy of growth. -JFK
The problem is that many programs store temporary working copies on the local disk no matter where you store the main file (Microsoft Office, I'm looking at you...).
If you have data worth stealing, full disk + swapfile encryption is the only way to go.
Blessed are the pessimists, for they have made backups.
Thats very depressing my friend, very depressing. How could it possibly make more sense to work around the limitations of 14.4k than to use a sat link?
Satellite doesn't work too well when you're got a hill or a forest blocking the view.
upon the advice of my lawyer, i have no sig at this time
There are small towns all over the US for which there is nothing but dialup available, sir. Hell, there are small towns where cable TV isn't even available. I realize this may be news to you, but not everybody lives in urban or suburban areas.
My uncle is director of Public Health for a county in Illinois. The *only reason* which the BFE Small Town near where he lives has even partial DSL access is that his status as a Homeland Security First-Responder was enough to get Verizon off its ass and build a LEC just for him (he is legally required to have "fast" internet service at his home, and telcos are obliged to provide it, apparently).
The hilarious outcome of this is that there is a tiny (outhouse-size) brick building with a Verizon sign right off the edge of his property, surrounded on all sides by a corn field. My uncle has 3Mbit DSL service and the folks who live just on the edge of the closest town (population 1200) can get 384k or whatever it is. Everyone else there is screwed.
-- I wanna decide who lives and who dies - Crow T. Robot, MST3K
Thanks for the info. I'm more than old enough, but I was primarily a Mac user at the time when that virus came out, it turns out. Interestingly, the link you gave describes it as KOH, not KoH, and even calls it "the potassium hydroxide program"!
...the future crusty old bastards are already drinking the Kool-Aid.