Slashdot Mirror

← Back to Stories (view on slashdot.org)

Whole Disk Encryption For Vista?

Posted by timothy on from the just-wait-for-it dept.

Q7U writes "After reading about several laptop thefts and losses, my boss wants me to set up whole disk encryption for her Vista travel laptop. After doing some research, it seems she has three options: Bitlocker (part of Vista Ultimate), PGP Whole Disk Encryption, and TrueCrypt. My main problem now is choosing one. I can't find any comparitive reviews of these products to determine which will be the best choice, so I was hoping the Slashdot crowd could suggest which product they would go with and tell us what they liked about their choice."

14 of 125 comments (clear)

  1. No Comparisons? by toleraen · · Score: 5, Insightful

    You could always, you know, type it into Google.

    1. Re:No Comparisons? by aztektum · · Score: 5, Funny

      The first hit from your link is this /. story, upon which the first comment is yours. I just spent the last hour going in circles!

      --
      :: aztek ::
      No sig for you!!
  2. Fourth option by mvdwege · · Score: 4, Informative

    There's a fourth option: SafeBoot. I recently got the basic Administrator training for the product, and it is very nice. Integrates well with enterprise directory services like AD and LDAP, for central deployment of configs, uses decent well-documented standard crypto algorithms and key exchange protocols, and is very transparent in use. All that you see of the encryption is a password entry on boot, everything else is completely transparent.

    Mart

    --
    "I know I will be modded down for this": where's the option '-1, Asking for it'?
    1. Re:Fourth option by Nos. · · Score: 5, Informative

      We went with Safeboot also, but given the submitter's description, I wouldn't recommend it. Safeboot is nice for an enterprise type rollout, not for one laptop. You really don't want to support the backend infrastructure for one machine.

      Go with TrueCrypt or BitLocker for a one-off.

  3. Only one really secure option by Gat0r30y · · Score: 4, Interesting

    Hardware based encryption - have IT put in an FDE Drive. While software based encryption options are good, and most certainly better than nothing, the only really secure way to go is Hardware based.

    --
    Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
    1. Re:Only one really secure option by croddy · · Score: 4, Informative

      Except sometimes, the box says AES and instead you get XOR. I'll take LUKS and dm-crypt over that any day of the week.

  4. didn't you hear? by Anonymous Coward · · Score: 5, Funny

    Didn't you hear? They found the laptop in the same locked room where they thought it was missing from. So there's really nothing to worry about.

  5. If it's business, enterprise or ultimate by Toreo+asesino · · Score: 4, Informative

    then Bitlocker will work fine. Otherwise you won't have it.

    In fact, on a active directory, you can configure bitlocker for your entire network to automatically encrypt volumes and backup the TPM recovery information to the Active Directory if you so desire - http://technet.microsoft.com/en-us/library/cc766015.aspx

    Other than that, TrueCrypt works just as well for standalone machines.

    --
    throw new NoSignatureException();
  6. Re:Why whole disk? by dlcarrol · · Score: 4, Informative

    Hibernation would leave stuff that is in memory open to inspection.

  7. Option Four... the Dilbert option.. by Channard · · Score: 4, Funny

    ... do nothing and wait till your boss forgets about it or decides it doesn't need doing.

  8. I use all three -- choose on security needs by mlts · · Score: 4, Informative

    I use all three, PGP Whole Disk Encryption on one machine, TrueCrypt on another, and one server has a TPM, so it, and its RAID arrays are BitLocker protected.

    Each addresses slightly different security concerns. If you want to encrypt your disk with a password, and that's all you need, any of these will do the trick. If you want a hardware cryptographic token, so a thief can't obtain your encryption key by brute force, go with PGP Whole Disk Encryption, or BitLocker that supports a TPM with PIN functionality.

    BitLocker is probably the easiest to implement, as you just install it, run software to check and partition the root disk. Then, save the recovery key on a USB flash drive (well away from the laptop). You can also save the recovery key on a TrueCrypt volume too. Once Bitlocker is enabled, the security of the machine will be the user passwords (especially any user with Administrator rights.) Make sure you have a decently long (16 characters, preferably more than 20) password to log on with. If you use BitLocker with a PIN and the TPM, you can get away with shorter user passwords if you hibernate or shut down.

    Disadvantage of BitLocker -- Requires a TPM for decently secure functionality. TPM enabled laptops are rare, and desktops are rarer still, unless you explicitly buy a motherboard with one, or a "corporate" desktop.

    TrueCrypt is a very good solution. It is licensed at no charge (donations are recommended), and is very secure. However, its intended for a single user machine. Using multiple passwords with it is kludgy at best. However for a single user, its very secure once enabled, and you burn a TC recovery CD.

    PGP Whole Disk Encryption is the most versatile. It can use a TPM, USB flash drive, smart card, eToken, or none of the above, and use multiple ones in a list to authenticate for a hard disk to work. For example, my laptop has an eToken for hardware security, but as an emergency, I have a very long recovery passphrase if the eToken gets lost or someone locks it by too many guesses. Another example is a friend of mine who has a TPM on his laptop, but if that fails for some reason, he has two eToken keys as backup. PGP Whole Disk has a very good reputation, and is by far best solution for a business IT environment.

    You can't go wrong with any of the three listed.

  9. Re:Why whole disk? by Nos. · · Score: 5, Insightful

    Just truecrypt the saved data.

    Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?

  10. Re:Why whole disk? by apparently · · Score: 4, Informative
    Or, you know tell her that she should not be storing ANY data on her computer. ALL data is to be saved to the network shares for backup control and security. If she needs to access something on the road, use VPN.

    Riiiiiiiiight. Because your solution works really well on airplanes, client-sites w/o internet access, or anywhere else where network access may not be available.

    Good job on coming up with novel solutions to difficult problems. Are you in middle-management by chance?

  11. Data Recovery is most important!!! by rtechie · · Score: 4, Insightful

    When evaluating these products it's very important to remember that while one of your laptops MIGHT get stolen, MANY of your users WILL forget the password for their laptop and WILL get locked out. So key recovery is BY FAR the most important feature of these products. This really can't be stressed enough.

    Which is why I'll tentatively recommend Bitlocker, since it's got the best data recovery capabilities (keys are automatically backed up to the AD server, etc.).