Slashdot Mirror
How To, When You Have To Encrypt Absolutely Everything?
Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"
I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives ...
I think you're going to find most people advising you to choose TrueCrypt which boasts:
I think they're on version 6.1a and I have been impressed with them. You may want to try benchmarking the various encryption algorithms it offers.
... but i am concerned about overhead and speed penalties.
Aren't we all. I mean, no one wants an Office Space like scenario where every day before you leave you have to wait for the damn little bar to cross the screen to save your progress for the day. You have another option which is to wait until the drive manufacturers build all that into the hardware's firmware so that it is as fast as they can make it.
... I also would feel very uneasy if someone assured me they had a method to do that. Drive encryption is one of those seemingly trivial but necessary reasons why companies have many system administrators and not some automagical solution.
I wouldn't recommend waiting that long, however.
Here's my formal suggestion: do a small test on a few users or even a few devices no one depends on, some USB drives, etc. Use them yourself and see what kind of overhead (for both user and device) we're talking about here. Then weigh that with how much comfort you get with universally encrypting everything. If A is greater than B (with a sinister sounding name like 'Dark Neuron' who knows?), draft up a plan. Otherwise, just wait until you have the funds to upgrade the hard drives to those with the built in encryption.
I do not know for certain but I do not believe there is a painless push-across-the-network way to do this
My work here is dung.
truecrypt seems to be the best option.
Let me explain to you how this works. In pictures:
http://xkcd.com/538/
Tired of Political Trolls? Opt Out!
SAIC used encryption on all of their Windows laptops. There was a huge speed penalty in startup time and starting applications.
MUST... HIDE... PORN...
Don't do it.
A subtle balance between encrypting most essentials and leaving non-essentials unencrypted. For example, you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.
Also, watch how external USB keys are encrypted. if you deal with clients and offer loaner machines, their USB drives could become encrypted and useless when they return to their own office.
I'm all for encrypting, however hopefully the higher ups also consider the potential performance hits and liability issues.
Maybe its just the corporate environment that I'm in and please I would love to be wrong. But from what I can tell a good number of open sourced products just don't scale up to the enterprise level.
There aren't any tools that manage them centrally and allow for compliance and auditing.
"Security" that gets in people's way is a security threat, because people will find a way to work around it, and be worse off because of it. Never try to lock down everything, or you'll have no control over what is compromised. Figure out what you really need to secure, and lock that down. Really. Trying to secure everything is a sure sign that someone lacks the knowledge to make security decisions.
Encryption is easy. Password distribution and protection is hard.
Have you worked out a complete plan for key management for all these encrypted devices?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Open source? Nope. But Pointsec is an impressive product. I've been using it for years and have noticed zero performance impact.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
Its cross platform. But, it does not support whole disk encryption for Linux or Mac.
unless of course your requirements call for it. But your systems will run very slow if every time they have to boot they have to go thru the decrypt process. you should only need to encrypt your users' data. Hopefully, system data and user data are, at least, in different folders of the filesystem.
At least the decryptor could not be encrypted
What's your key management strategy?
You want TrueCrypt.
It's probably better than a hardware solution. They keep screwing up and snake-oiling the hardware ones, but you can audit TrueCrypt (and people have), and pre-boot authenticated system drive encryption is pretty much what you want.
As for speed... I don't know what you're worried about. AES-256-XTS (best-in-breed, the new standard, which TrueCrypt pioneered and uses) runs at over 150MB/sec in benchmark, and that's on one core. Your hard disk very probably doesn't run that fast.
All our machines are encrypted using similar means, and we've never experienced any problems with performance.
PGP's Whole Disk Encryption isn't as good - that kept stalling in kernel mode under XP, causing hiccups on lots of disk accesses; and eventually the driver bluescreened on every boot and there was absolutely no way we could get it back, which lost us terabytes of data... but TrueCrypt has caused us no such problems, and costs nothing. (If it worked with the leftover eTokens from our earlier PGP deployment, it'd be perfect.)
TrueCrypt does not support Pre-boot full disk encryption on the Mac. Only product I know of that does that right now is PGP Whole disk (latest version).
I see a lot of comments here suggesting that this is a bad idea, and to a certain extent it is, but chances are the institution has no say in this. After the wave of laptop thefts from government institutions, the office of inspector general requires all laptops (and portable media) be encrypted. A lot of agencies have stalled on this one. I've been involved in supporting laptops that are encrypted and go out to remote field cables (as remote as it gets). It's pain, but if you have to do it, TrueCrypt is not the way to go. You need something that ties into AD and something that can manage thousands of users. PGP Desktop.
Tim Smith - Ramblings from Nerd Land
I see this all the time and it always makes me cringe.
If you treat all data the same, it is impossible to convince users to treat any data differently from any other, and they will all default to "Sloppy", and you won't care because you'll be certain that the encryption is going to save your ass.
It is a much much better idea to have a very distinct line between secure and insecure, so that people have that distinction hammered into their heads every time they touch secure data. Otherwise, someone is going to get sloppy with their private key, and you're going to get exploited and never see it coming.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I was screaming PGP until I got to the Open source part, removing funding from the equation Truecrypt is the only thing that will really do what your asking for. Its not bad & I like it, but its not PGP. And if you have been using something since the BBS days, your really not likely to change now so I am bias towards it. But from my limited (3 month) run with Truecrypt I had no problems and it was very stable, and little to no real performance difference from PGP's.
Full Disk Encryption and of course encrypting our USB keys, backup DVDs, etc. Central key management, recovery, pretty well thought out.
I dunno if the 'free' version does all this. It's not as clever as TruCrypt, but it works.
deleting the extra space after periods so i can stay relevant, yeah.
That comic has been making the rounds. It's cute, but not applicable.
If the submitter is in an organization with thousands of machines, the notion that any user will be required to keep their password confidential in the face of torture is laughable. That's for specially trained operatives, soldiers, and other assorted heroes. Those of us in the normal world will probably adopt a more rationale perspective. If someone were crazy enough to steal one of our laptops, simultaneously snatch the user, and threaten them with torture, our folks know to give up all passwords, immediately. We're only required to keep data confidential where it is reasonable to do so. When floods sweep away your car, wave goodbye to your laptop in the trunk. When someone threatens you physically, tell 'em what they want to hear.
Our people are more important than our data. Our people are more important than the publics data. If we lose a chunk of data, we have ways to reconstruct what was lost and mitigate damage. If we lose an employee, there is no way to achieve a good outcome.
Reasonable?
Tell the suits you are implementing state-of-the art ROT-26 encryption on everything. Take a month off. Come back, pronounce it complete, and ask for a raise.
SpyDock: Scientific Python in a Docker container
With it you can encrypt what you need.
OK, delay and stall as much as possible while you get your resume shopped around and get a new job lined up.
Then quit.
This kind of silliness is (a)stupid, (b)pointless, and (c)doomed. Anyone who claims otherwise is wrong. (And no, I'm not opinionated at all! :-)
Fundamentally, this will fail because it's a blanket policy on dissimilar environments: All hardware is not equal, and all software is not equal. Portable gear should NOT be treated the same as fixed equipment. Sensitive customer data should NOT be treated the same as OS files. Throwing everything together under one usage policy comes from not understanding ANY of computers, data, or security.
Get out. Run while you can!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
I would strongly suggest you don't encrypt everything. Users forget passwords all the time, right now if they forget their workstation password you can reset it. What if they forget the password for their work related data? Its gone forever. If you do decide to ahead with it be VERY overt that people may lose their work/jobs if a password is forgotten.
i have a friend who works for a company that has an "encrypt everything" policy. He has a company laptop which is equipped with such encryption software. His wife has an identical laptop. Mr. X's laptop is a dog. Mrs. X's laptop is zippy.
Overhead and speed are the cost of the kind of encryption you're talking about. That's the price you're going to pay for doing what you're talking about. If you really want the encryption, learn to live with it. If you can't live with it, ditch the encrypt-everything policy and find a way to only encrypt what you have to.
But I encrypted it and lost the keys.
It was a perfect design and I am sad to have lost it.
Plase back everything up frist! Send it to us at editor@wikileaks.org and we'll store that data for you for free. We have mirror sites to protect the data; just send it before encrypting it.
Those guys in the Ninnle Labs sure are smart!
See if you can find a new job before they start...
flinging poop since 1969
I see this directive a lot. It boils down to "We don't know where our sensitive data is, or don't trust our employees to keep it where it should be, so we're encrypting everything!".
Most of the time when I see this, it's because the person making the directive is responsible for security in some manner but has no experience with risk management and mitigation, so they go for the "all out, definitely safe!" shotgun solution. The problem is there's no such thing!
What risks are you actually attempting to mitigate through encrypting everything, and are you aware of the risks you are creating? These are questions the person who made the directive should be able to answer! For instance, if you are trying to mitigate the "PII/Lost Laptop" risk, why not implement drive encryption on laptops only, and buy USB sticks (such as Ironkey) which guarantee the encryption? If you're trying to stop a malicious insider, no amount of encryption will save you if they've been given the key.
Finally as others suggested, what's your key management and password management strategy? I -love- truecrypt but I wouldn't suggest it for a whole enterprise without being able to answer the question "How do I recover the key to this workstation when the employee dies unexpectedly of a heart attack?".
Best of luck in your endeavor but remember this rule: When it comes to implementing security, NEVER BE AFRAID TO ASK MORE QUESTIONS - especially about requirements.
Not so hard-pressed.
I've used these products for a long time. (There are others; look around.) I suggest you phase 'em in over the next three years, by which time you'll have replaced everything. After all, you already have a budget for replacing all hardware over the next few years, right? Beyond that, remote, enterprise-quality tools for managing this hardware can be *very* pricey add-ons, but if you build your work processes right, there may be little or no need for them.
That just leaves writing to CDs/DVDs. There are open-source packages such as TrueCrypt. If you're already running WinZip, it'll do the same for removable media, allowing your users to set a specific password for that write then sneakernet the disk wherever it needs to go. If you want to force all writes to optical media to be encrypted, you'll need to look at something like GuardianEdge Removable for a commercial app or something inventive if you must go open-source.
One last thought: If your data is so important, so valuable, or so legally regulated that you must encrypt *everything*, then you have the money to go open-source, commercial, or whatever works. I see no justification in the submitted question for limiting the choice to open-source software. If you *have* to do this, you *have* to do it right, no matter the cost. If your big guys say they can't afford the cost, then they don't *have* to do it.
I've been using Fedora since v8. Fedora 9 introduced the ability to encrypt the entire hard drive. I have a least three servers (Apache, Tomcat, and MySQL) running on my encrypted hard drive and the speed in incredible. Absolutely no issues with speed or problems with start-up or shut-down. Setup is as easy as checking a check box during the install. And logging in just requires a password during the Grub boot cycle to unlock the encrypted hard drive.
Description from Fedora: /boot using cryptsetup and LUKS. This includes install time creation/configuration, as well as integrated support in mkinitrd and initscripts (others?). Currently we are only pursuing support for encrypted devices using cryptsetup/LUKS."
"Support the use of encrypted filesystems for anything other than
Further Reading:
http://magazine.redhat.com/2007/01/18/disk-encryption-in-fedora-past-present-and-future/
http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems
by Anonymous Coward
"My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc"
It may be too late for this, but... why? What problems is the policy intended to solve? Is there a less-intrusive way to accomplish the same goals? (For instance, centralizing data stores onto servers and making computing devices effectively thin clients.) Do the key-[loss|management|distribution|revocation] issues result in a better security model than you currently have? Is the threat of technical failure leading to denial of service a problem?
(For your org, these issues have presumably already been addressed. But others here considering something similar should be sure to ask those questions.)
With reasonable men I will reason; with humane men I will plead; but to tyrants I will give no quarter. -- William Lloyd
I second the opinion of the first poster who recommended you wait, for several reasons.
First, most methods of encryption are a pain in the butt. If you want to encrypt only some data, then yes I would say Truecrypt. But then it has to be manually un-encrypted before use.
If you want to encrypt whole drives, your network, everything, and have it work transparently, you are in for a headache combined with a nightmare. Headache because getting it set up and working is a major project fraught with problems. Nightmare because you will lose whole drives worth of data when something goes wrong, unless you have a very serious, robust, and reliable backup scheme that you use often.
However, drive manufacturers will be coming out soon with new drives that incorporate DES encryption via hardware. This eliminates the delays and problems with software encryption, and will go a very long way toward making whole-network encryption a lot more practical.
...because everyone's going to end up writing their passwords on them and sticking them on the relevant hardware.
Step 2: Submit this to Scott Adams--he'll probably have fun with it.
Step 3: Investigate performance of various solutions. I hear good things about this ROT13...
"Not an actor, but he plays one on TV."
The best encryption/security is most easily foiled by humans:
1. I've seen many username/passwords posted with sticky notes on folks' monitors. Admins are partially to blame by imposing well intentioned, but impractical password rules, resulting in the necessity of users to write that crap down or end up perpetually calling the already overextended IT help desk and being shutdown for hours at a shot to figure out passwords.
2. I've seen combos to classified safes written in pencil behind the "Locked"/"Open" magnetic sticker (well, the digits were swapped, but c'mon!).
3. I've had numerous combos given to me for vaults and safes containing secret level materials that ALL followed a retardly simple pattern, making an 8 digit combo lock (4 two digit numbers) effectively a 2 digit one (XY-YX-XY-00). While convenient, it is stupid, and possibly illegal (not sure how the DOD feels about security folks intentionally dumbing down the security they mandate?).
4. I've had to have our uncleared maintenance dude break into the vault when our crap lock broke AGAIN. Acoustic ceiling tiles really should not be the last line of defense for secret files... We regularly had problems with the combo lock on that door as well, a modest shove would open it, on those occasions it actually latched.
5. I've had the security chick for a vault blow me off after I carefully explained how the combo lock on the vault was busted. It took two more attempts, and several days to get someone else to demand it get fixed (she and I had a mutual dislike, I wonder why...). If someone just entered the vault you could turn the knob and get in without the combo, the lock was not properly resetting.
6. I've seen vaults left with only the cheesy punch code combo lock securing things (nobody in the vault) for hours at a shot on weekends, while the dude responsible was off at an extended lunch. This was SOP. Prior jobs demanded vaults always either have a cleared and authorized individual for that vault inside, or that the real locks be spun. Even for bathroom breaks.
Good looking security with lax culture is worse than weak security with a vigilant user base.
Truecrypt is fast. I have it on all my computers and backup devices that handle sensitive information, and there is zero slowdown visible to the user, even for IO-intensive operations. Steve Gibson from the "security now" podcast did his own benchmark where he created a drive image and timed how long it took to defrag the drive, then restored the bits from the image, encrypted with TC, then timed the defrag again. He then repeated the process three times because he didnt believe the results -- the encrypted filesystem ran FASTER. Take the anecdote for what it is, but the principle seems to hold true in my experience too. TrueCrypt is damn fast. It chews a few % of your CPU time when in use, but it doesnt slow things down.
"With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea...."
RFC 1925
OS X has built-in support for user home folder encryption. It doesn't support applications and other places outside the home folder automatically though. But unlike windows, 99.9% of user data is in their home folder.
The entire home folder is a giant sparse disk image and grows as needed. There is a performance hit but it's not a big one. The only complaint we see is sometimes when you logout it will say "your home folder is using more space than needed, do you want to compress now?" That process can take anywhere from a few minutes to an hour depending on how much you deleted that session. Most users can ignore that unless space on the hard drive is running low because they'll just reuse that space during the next session.
Performance is better than whole-disk encryption because the apps and OS are not encrypted.
For mobile drives (like my flash drive) I have an encrypted disk image on there for sensitive information. When plugged into my computer, the password is in my keychain and it unlocks automatically. When in another machine I have to supply the password. This is secure in case my drive is lost or stolen, but isn't too inconvenient and requires no special software or anything to install on any machine I plug it into. OS X has built-in support for creation and use of encrypted disk images.
The system also has you create a master password when making the first encrypted account, and that password can be used to change the user's password if they forget it, which should help your IT department. Normal accounts can be easily converted to encrypted (or back again) with a few button clicks so transition is painless.
I work for the Department of Redundancy Department.
You do realize that encrypting the OS files that came with the computer really doesn't buy you much, don't you? I would think you would want separate data and executable partitions, and only encrypt the data. (Of course, you could put proprietary executables in the data partition.)
I've abandoned my search for truth; now I'm just looking for some useful delusions.
Seagate sells drives that do that today. If you are concerned about theft, and your motherboard supports it, that would absolutely be my first recommendation.
If you are also concerned about back doors, or just don't trust that the drive manufactures implemented their encyption correctly, then TrueCrypt is the best cross-platform software encryption method available. I wouldn't recommend using it for whole disk encryption though - it's just too slow. Use hardware for your first line of defense, and then use a TrueCrypt partition to store all the known sensitive files.
Ironkey has good hardware encryption for USB flash drives. There are others that do as well, but be careful because there are a lot of crappy flashdrives whose encryption is a complete joke. TrueCrypt is also a good choose for flash drives.
I haven't found an ideal solution for large external harddrives. AFAIK, sticking one of those hardware-encrypted drives into a USB caddy doesn't work because there is no mechanism for providing the password to the drive. eSata might work if your computer supports it. Otherwise you are stuck with software encryption.
I work in an organization with 10,000+ field offices in the USA. Every office has an encrypted server and POS machine. Then, there are several hundred more encrypted laptops used by the various levels of management from district all the way to division. Also, several (over a hundred) laptops at out headquarters are also encrypted.
The problem is that every one of these must be managed. Each password must be logged and then stored. Each one must be changed every year (right after the annual reviews - hire and fire). Everyone who may reboot the computer must know the password (although you can interact with some programs and pass the password to it before a reboot so the user does not need to know). You cannot install it and think your done. You have just created another point of failure that will generate calls to the helpdesk and add to your total IT overhead via management.
Also, we have had some problems with certain machines not reporting 100% encryption even after weeks of waiting. A full reimage was needed to correct the issue. Just one more piece to watch for - you will have to closely manager the encryption process.
I know people are concerned about speed penalties, but isn't that the whole reason for using modern hardware in the first place. You didn't mention what the use case was for these machines, so maybe you do need every last megahertz. But for most business users, the machine is mostly idle as it is, and no amount of megahertz is going to let you type your documents any faster. So why not put it to use, like for encryption.
First, what problem are they trying to solve with this encryption? Some problems encryption won't solve, and it can create worse ones.
Is the encryption even going to work? Where I work we found out that the whole-disk encryption works fine when people shut their computers off and then boot them back up. But when you just suspend/hibernate a laptop it resumes exactly where it was, with the encryption software decrypting the disk exactly as normal, without prompting for any passphrase. And 99% of our users used suspend/hibernate rather than powering off, since battery life was the same and it was a lot slower to go through the full boot process. So the encryption wasn't protecting anything, anyone who stole the laptop would have complete access to the data without needing any passphrase.
We also found that the encryption made disk recovery impossible. One of our developers had his laptop fail. Motherboard problem, the disk was completely fine but the laptop itself had to be replaced. We didn't have any of that model of laptop (not made anymore), we couldn't use that drive as the boot disk for the new laptop and it wasn't possible to enter the boot-time password for it using an external USB disk adapter. So, complete loss of all data on the disk, even though the disk was completely intact and functional, because there wasn't any way for the authorized user to decrypt it to get the data back off.
And many of the problems can be avoided completely. For instance, I use RDP to get into my office desktop from home or a laptop using a VPN and an RDP client (built into Windows XP, or rdesktop on Linux). I don't have to worry about the laptop, since there's never any sensitive data on it. Anything sensitive stays tucked away on the office desktop, safely behind the corporate firewall. I use similar remote access to my main home desktop for my own data, e-mail and such. This won't work for everyone, since it requires the laptop be in addition to a secure desktop or server, but when it works it makes encryption on the laptop completely unneccesary.
To expand a little on most of the modded up posts, have one network drive with tight access control and encryption, and encrypt each users home directory. OSX and Linux both have methods to do this while also giving you a method to recover lost keys.
I've used both truecrypt and compusec, and for a corporate environment only compusec is acceptable. Truecrypt does not provide a master password you can use to quickly reset a password when the user forgets. Compusec is not perfect, but this single feature makes it "enterprise" ready.
It would be quicker, easier, and cheaper, to junk in every desktop and go for thin clients hooked into the datacenter where desktops and servers run as virtual machines with encrypted filestores. Seriously, its easier to take the storage away from endpoints than it is to try and protect it.
Then issue people who need to move data around with hardware encrypting USB drives, serial numbered and controlled centrally from something like Securewave.
Hard drive encryption isn't meant to protect against social engineering attacks. It's meant to protect against attacks that don't require social engineering, like stealing or cloning a database server's drives for the information. More than anything, it's meant to provide reasonable assurance that if one of your employees' computers gets stolen by a common thief who just wants to sell it for the cash value, somebody else down the line won't be able to read the data in the drive and take advantage of it.
Are you adequate?
Standard disclaimer should apply: Talk to your corporate legal counsel first.
What are you going to do when a user goes on vacation for 1-2 weeks and can no longer remember their password to boot up the system? What you going to do in a similar situation if the person is a "road warrior"?
How are you going to ensure access to the data during a legal compliance exercise (order of preservation or a subpoena for specific records)? If each user selects their own password/phrase to secure the drive, now what?
How will you handle shared workstations? Share passwords? How will you "revoke" access or force a rekeying when someone leaves the organization?
I know I'd be particularly cautious about using an open source product for this. I'm not going to make that decision for the company, my boss or CIO or whoever, but that is "above my pay grade", so to speak. I certainly don't want to have to explain that we went with an open source solution to save a few bucks when the software has inexplicably bugged out and left everything encrypted and inaccessible, necessitating a reload of all machines and restores from the most recent tapes. An outage like that could bankrupt a company. Hell, in that scenario, I could see a manager try to paint you the scapegoat for the action, possibly even trying to have charges brought, criminal/civil negligence or something. People are trying to stretch the meaning of laws all the time to places they were not originally designed. If they want an open source solution ok, but I want a paper trail as to who made the decision to go with the particular product & what other options were considered.
Open source is a great solution sometimes, I use it myself, but one thing a closed source, properly licensed product, gives you is a place to point the finger, because it's going to be pointed somewhere. Even if the license indicates that they're not responsible for any data loss because of the use of their product. If there is data loss, the company will look to the software vendor to figure out what went wrong, not to you and your, apparently, poor judgment. If you go with an industry leading provider and their award winning solution its much hard for people to look at you as the problem and not the vendor.
We have been instructed to encrypt all laptops and portable media devices. Some of our machines are slow as it is, the encryption software only increased the number of issues we have had to deal with.
Our biggest issue that the encryption software is setup with a single sign on, so if a user hasn't used their laptop in a few months and has updated their password they won't be able to login to their encrypted laptop because it doesn't recognize the new password. This means one of us admins will need to figure out which admin password is current on the machine and waste time going in and changing the users login credentials to match their current set.
We're getting ready to install portable media encryption software that will encrypt all data moved from the computer to a USB device. I can only imagine the wailing and gnashing of teeth that will occur when the first iPod is bricked. Of course I won't feel too bad because they aren't supposed to be used on our network anyway.
I entirely agree with every caution to wait, ask more questions, and limit encryption to areas where there is a real risk to be mitigated.
Don't bother to look at the "performance hit" relative to different ciphers: You would be hard pressed to measure the time it takes for any properly implemented block cipher to process data coming and going to a hard drive or etc.
But your performance hit when those drives start to fail is massive: Lose the header area where the key hash is stored, and you just lost the whole container. Want to run diagnostics against an encrypted drive that won't mount? So sorry. Want to compress encrypted data for storage? The seemingly "random bits" can not be compressed.
Your backup strategy will need to include end to end encryption between your clients and server if "encrypt everything" is going to mean anything, and you can only do this when the drives in question are mounted and "live" - not after your users have logged off and gone home or to lunch. Off the shelf tools can do this, but encrypting all the drives adds constraints on when and how backups are made.
No single objection raised in this thread is a show stopper, but add them together and, unless your organization is (for instance) a crime syndicate, there is no possible business case for the costs and risks of "encrypting everything".
Encryption and a whole host of other requirements are now the law in California for any non-profit, local gov or other agency using state funds and that has any personal data anywhere on their systems. This could be something as innocent as the address block in a letter you typed to one person, does not have to mean the "database."
http://www.documents.dgs.ca.gov/osp/sam/mmemos/MM08_11.pdf
To encrypt everything just bitwise AND with a string of all 1's. Then "Ask slashdot" when you need to decrypt everything.
The procedure for handling keys and data at rest is important. If you are worried about users forgetting their passwords, then use key tokens (USB memory sticks). This will work if the machine and the stick are not kept in the same bag. In other words, have the users clip the sticks to their key chains.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I think you're missing the point here. Hardware encryption!!!!
Given how glacially slow IT moves in a university -- and how much buy-in the prima donnas demand for even the slightest decisions -- I'm sure the password topic is still brought up at the weekly meeting.
Security only works if the convenience/security ratio is balanced properly for the environment at hand. At a public university which is used to openness, the "encrypt everything" just wouldn't fly (because that one tenured prof who likes to share and then remote mount his entire C: drive between his office and home over an unencrypted network connection would pitch a fit and kill that plan by fiat). If you work at a security company or bank or the NSA, then I'd suspect you'd have an easier time of it.
-B
Ash and Hickory, straight-grained and true, make excellent bludgeons, dandy for the cudgeling of vegetarians.
We have been doing quite a bit of testing with many platforms - TrueCrypt, LoopAES, etc and we have seen huge performance drop-offs when it came to RAID performance. Unencrypted 5 Disk RAID0, we were able to get Writes 235 MB/s Reads 370 MB/s Whenever we try anything encrypted, TrueCrypt 6.1a - the best we get is ~100MB/s. Where do those superior benchmarking numbers that everyone talks about come from? Both OpenSSL & Truecrypt claim around 400MB/s - has anyone else been able to do this quickly?
I work at a company with many programmers. We found there was a decrease in speed, quite a large one.
Seagate (and others) make hardware encryption hard drives and there are USB hardware encryption memory sticks too.
Don't go the software encryption route, it's a painful experience.
This is a perfect example of an IT directive to solve a problem that does not exist. Encrypting at the drive level can be useful if your key management is good, but it is not meant to be a catch-all for security. Your best bet is to only encrypt the data that absolutely needs to be. As someone mentioned above, use a thin-client model to keep the complexity low. Use an e-mail client that supports encryption if you must, though e-mail is generally not a safe place for anything secure anyway. Make sure your intranet keeps the browser from caching secure data, and train your staff to store top-secret information on an encrypted document server.
I understand that there is sometimes a need to be paranoid about a stolen laptop, but the XKCD strip linked above is dead on when it comes to what this sort of "security" actually provides. At best it is obscurity. At worst, it slows everyone's life down, bogs down IT support and operations, and chews up funds that would be better used for something like salaries.
Personally, I think we should move away from the dedicated machine model for all employees. It's much less expensive to secure your intranet servers and expose them through secure tunnels through the internet. Now, all your employees need is an abacus with a good battery.
This is really a great question. We are going through the same trials here at our institution. When dealing with 1000's of users, you really need a supported, centrally-managed solution. Some IT realities must be addressed: 1) users forget their passwords, 2) administrators and or people who have access to data change over time.
So we need a system which will let administrators unencrypt *every* hard drive, and reset the users encryption password. Also platform independent. Safeboot is a great centrally managed enterprise system. However, it's Windows-only, although MAC OSX may be just along the pipes. Checkpoint FDE (formerly PointSec) might provide an answer for some. They don't support Debian/Ubuntu however at least when I looked a few months ago.
The native builtin encryption methods for Linux (like cryptfs), seem to require reformatting the disk if you want to do a simple operation like changing the encryption password. Honestly, I don't think there are a lot of great solutions out there yet. More work needs to be done in this area! We need better solutions!
"My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything"
You're looking at a world of potential support pain. Lost passwords, lost unrecoverable files...
For those advocating Truecrypt, my understanding is that it lacks the enterprise deployment and management tools of something like PGP.
You're talking about a fundamental change in your IT landscape, with significant implications for implementation & support cost. Get help.
Start with the laptops, those are your biggest risk area, with the most probability for loss.
Once you have gained experience there, then roll out a major desktop solution.
Finally do something on your servers, those are the ones with the best physical security already. Usually behind a locked door and bolted down to racks.
In the meantime, if you really care about security, hire someone that can lock down all your infrastructure from intrusion via the network. Empower them to fix your network.
Most of these data breaches come from insiders downloading data to their computers, followed by someone getting access through the bosses computer and leveraging that to get at all the data files.
have everyone turn on filevault.
My company has been running all the machines that aren't at our data center encrypted, starting around August of 2007. On my laptop I honestly just have not noticed the overhead of encryption more than once or twice in that time. When I started it was on a 1.8GHz Pentium M box, so it's even less of a concern with my 2.5GHz Core 2 Duo.
As I said, it's worked out so well that it's now the standard setup on our laptops. The Eee's my wife and I got last week are running encrypted partitions as well.
Before I started, I was worried about the overhead of the encryption, but I was really worried for no reason. I've almost never noticed it, and none of the other folks in my organization complain about it either.
We are using the Linux encryption stuff running under LVM, so our swap is encrypted as well. Everything but /boot is encrypted. We are using "cryptsetup" (dm_crypt) (built into the Ubuntu Hardy and up "alt" installer and Fedora 10 and up). I'd recommend that for the Linux side.
I've heard good things about TruCrypt, but haven't used it. We don't use Windows or Mac, so the stuff that's built into Linux is our preference.
The dm_crypt stuff includes "LUKS", which allows you to have multiple keys for accessing the data. So you'd probably want to set up a "user key" and "company key" for each system, and if the user forgets their key someone can check out the company key and set a new user key.
So, in that way you don't need to worry about the user forgetting their password.
Also, you still need to have good backups of the file-systems, so if someone does forget their data you can at worst case recover from the most recent backup.
So the worry of losing keys is a no-op. If you don't have good backups, check out backuppc. I've been very impressed with it.
Finally, as far as the other poster saying that it's a "shotgun" approach for people who are too lazy to identify their important data... Do you also try to back up only your most important data? What if someone adds a new important data?
I started with only encrypting a part of the system (because full system encryption was difficult to achieve in older Linux releases). The problem is with leakage. As with backups, it's more provably correct to cover more data rather than less.
This is why for backups I only do exclusions instead of listing the data I want to back up. That way if more data gets added, I have to explicitly exclude it for it not to be backed up.
The same thing applies to crypto. Ok, so you encrypt your sensitive data. Do you have updatedb running? Or beagle? If someone looks at the "locate" database of all the files on your system, will that expose something you didn't want exposed? Like the list of your clients? It would for ours, because our document repository has useful file-names. Similar for the beagle database.
What are you leaking that you didn't intend to be?
Just encrypt the whole damn thing.
Sean
Many more years ago than I'd care to discuss, I used to pull graveyards at the local 7-11. Corporate and Franchise policy back then was, that if you were robbed, you gave up the entire store, on the theory that you were more valuable than the cash or store contents.
Years ago I worked at 7-11 too. One day we were all called into the district office for a meeting. In the meeting we were told somebody was buying the chain but not to worry, none of us were going to lose our jobs. Less than a week later I did. Three people worked at that store, the manager, an assistant manager and me. The assistant manager and I were fired, and the manager was moved to another store and demoted to assistant manager.
They, 7-11, didn't care what so ever about employees.
Falcon
Should there be a Law?
Compusec
http://www.ce-infosys.com/english/downloads/free_compusec/
Fast and good enough to keep out the average bad guy, or local LE.
I killed da wabbit -Elmer Fudd
If it's good enough for the NSA, it should be good enough for you. Red Hat is really putting an effort in making encryption available for the average user.
If you have the chance to choose the operating system.
We paused a pointsec rollout because it blue-screens maybe 5% of the PCs, and once it does that you will never recover one bit of data on the drive. Lost countless hours of work, plus all of the time troubleshooting we did with the vendor and MS. It is a dirty word here now. We managed to get an update which did not have this problem, and it involved updating NTFS drivers along with Pointsec. I got the impression that it was similar to the delayed-write failures that XP suffered early on, with MS blaming drive manufacturers and drive mfrs pointing at earlier XP patches which did not have the problem.
I have noticed considerable slow-downs, probably because on large files it has to decrypt the whole thing from the beginning instead of being able to seek. Kinda like extracting the last file out of BZIP - they are TARred before compressing and that gives you better performance, but you can't re-create state until you start from the beginning. Of course, anti-virus has the same problem and compounds it with on-access scans.
Lesson: roll this out to some grunts first, for a month or two at least. If you have to do anything beyond reimaging the drive to get them working, they are not the right people to test it on. Stress test it by turning off the PC when it's in the middle of doing something - you can't control when you lose power or a battery dies, so make sure it's robust enough to deal with simple failures. I'm not saying to skip Pointsec, I'm saying there are probably subtle bugs in every product which may show up with your particular configuration. Our higher level executives found the bugs here and it was not pretty.
dl;kjf9s00, so*9fosdikjk oi*5 soej1j2+~. 7dtTk34l ";Leu3*7&.
#@$tjke,
s-=3k,3j
As much as I like TrueCrypt, it is not what you want to be using when you have thousands of computers.
TrueCrypt has no way to remotely install or manage its self. It means taking a trip to each and every computer you own and installing it by hand.
Sadly one of the commercial solutions in this case will save many a headache.
Something like Checkpoints Pointsec (or what ever they are calling it this month) or PGP WDE for your computers and give everyone IronKeys which can be centrally managed (Pointsec will also encrypt USB keys as well as allow you to control what USB devices are plugged in).
And no I'm not a Checkpoint shill...
What are you trying to protect?
From what? What attacks? What value does it have to the attacker? What value does the secret hold to you? Who are the attackers?
For example if the value of the secret is low to you, then spending money on protecting it is a waste. Encryption costs to buy, costs to run, costs to manage keys, costs in convenience. eg. (Most secrets aren't worth a trip across town because you forgot your keys once)
If the attackers are internal, (they usually are), then encryption buys you nothing.
If the value of the secret is large and the attackers have physical access, then encryption is the strongest link in a very weak chain.
If many people have access to the secret, then social engineering will weasel it out no matter what your encryption.
If the attackers are evil and powerful, then encryption is a red flag to very Bad Bulls. You better off with more primitive methods that require real humans to eye ball it.
Get these questions lined up and answered before you start.
Personally, I would recommend going with a full disk encryption methodology utilizing something similar to Utimaco. This provides a challenge/response feature that will enable you (the IT support staff) to decrypt the drive in a situation that would require you to do so (e.g. an employee departs the company, file system corruption, etc).
As for the external drives, my personal stance on this is that you establish a policy surrounding such devices that would not allow them to store any sensitive data on them. If necessary, you can of course create encrypted volumes with TrueCrypt, Utimaco or something similar; but doing so (as has been stated) is risky if they forget the password to it.
It's what else is there to even choose from? Truecrypt is great, but I also suspect it's not just the best, it's the only player in the market?
Encrypted LVM's.... mmmmmmmm
eyeballs and fingers aren't that hard to remove
Fingerprints are even easier:
- Get a print on something.
- "Develop" it to get a computer image of the print.
- Fabricate a fake finger from the image any of several ways.
One example:
- Etch it into a printed circuit board (using a printer and a Radio Shack grade PC board etching kit.)
- Cast a fake fingertip on the printed circuit. (Gelatin works for a few-shot prosthetic fingerpint. I think silicon caulk works too if you first lightly oil the PC board to keep it from sticking. Etc.)
Should be similarly easy to make a fake for a retinal scanner from a retinal scan, which is strictly an optic device. (I'd start with a disposable camera for the holder.) Ditto iris scan.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
If you don't ever want to discover that your data is inaccessible, you have to think about whether or not you'll let individual users set any encryption passwords, and how to make sure there's always more than one person who knows any given encryption passwords, and whether or not you'll let all the people who may know a given password get on the same airplane. Because if someone forgets, gets hit by a bus, gets pissed off at the company, etc., you may just find some data just became inaccessible...
This is the encryption system we settled on for our corporation. It has a network deployment, network configuration, it also encrypts the disk while the user is using it, so it takes a day or two as it encrypts in the background and the user can shut off their computer and then it will pick up where they left off.
Looked at Truecrypt yeah but like several others have mentioned really we find a lot of the open sourced really not very well supported. And what I mean by that is you got a system down you can either go to a forum or send an email and someone may get back with you, then again may not. Safeguard easy has fully staffed help desk and support center. All of our installations except 1 went smooth and that one just wouldn't run the encryption utility from the network. Instead it had to manually be started. I would suspect some user interference from that like blocking ports or something.
Now I will say we used this for all laptops and desktops and removable drives but not servers. No real need when servers are in data center, if someone were to steal the hard drives from there we got bigger issues. Be forewarned though doing this on a removable drive like a USB drive for example basically renders that drive useless for any computer but the one it was encryption on and others on your network. You can't for example take it home plug it into your home computer and expect it to work. And Why because when you manage encryption centrally you typically have a central key for your corporation so you do not wan to give that key out to everyone so they can take it home.
Also there is no noticeable performance decrease, even from me as a developer running 2 virtual machines off my hard drive at the same time. I use a standard laptop we give to everyone else which is a Dell Latitude with 2 gigs ram and intel core 2 duo, running XP though not Vista.
There was slight performance decrease when the drive was encrypting because it was going like mad however that was only for a day, would have been 2 but I took my laptop home turned it on and let it just churn overnight.
Anyway my 2 cents
Ok, so I guess it's pointless to argue the point of "Why encrypt 'everything'?" There are options out there, but I think you're going to be creating an incredible hit on productivity in the institution and a massive support nightmare depending on the size of your site. Also, keep in mind that you will need to establish a tiered encryption system and master keys that will open everything in every department and agency at the highest administrative level of the organization. There will also have to be new physical security practices to make sure the keys don't get into the wild, as well as a rotating scheme for replacing all the keys on a regular basis and updating all masters.
Look, I have been on both sides of this argument and know that there are things that you haven't even thought about from the business practices and risk management angles that will have a tremendous set of REAL costs that are beyond the performance overhead on the computing side of things. This is a horribly bad idea! The Pentagon, CIA and DHS don't encrypt everything for a good reason!
Yes we encrypt every device(With the exception of PC's). We have not implemented the insert=forced encrypt yet because there are certain software products that use usb dongles that would be encrypted by that policy and they have not worked that out yet. Cameras are a pain and our work requires we use them they are the few times we get viruses although that is not an encryption issue.
/a devices /q /e /rm
/.'rs I can see why you might want to encrypt everything. If your building security is not super tight or just not possible. You have to weigh the possiblity of theft of equiptment against how sensitive your data is.
We don't use an open source product except TruCrypt on some of my own portable HDD's. I am pushing that more so we don't have to buy licenses for every piece of hardware. Automation (see below) is a step in that direction. My experiences may still help.
First where I do use TruCrypt I set up a batch file that opens a simple prompt so the user just enters a password and the drive becomes accessible. The batch file and the TrueCrypt executable both reside on a small unencrypted partition on the drive in question with an autorun.inf file pointing to the batch file. To automatically mount any encrypted volume it sees on the disk you just inserted it goes something like this:
TrueCrypt\TrueCrypt
Second we use Encryption Plus Hard Disk for our laptops. PC's are not encrypted we invested in a controlled access security system instead of purchasing licenses for all PC's although unlike other
Like TrueCrypt our software loads a driver that encrypts and decrypts everything written to the HDD. As you probably know computers aren't always writing to the HDD. So the idea that you'll take a huge performance hit is kind of a misnomer. We have laptops that range from Pentium III's to the latest cpu's. If the laptop is excruciatingly slow to begin with then encrypting the HDD will only make it slightly more excruciating. If the cpu is more current then the user will not notice the difference.
Yes people loose passwords and forget the challenge questions. Unfortunately here we don't have a good procedure in place to reset them remotely. We have them bring them in and we enter the admin password. Even if the HDD crashes we can pop in the decryption CD and get their data about 50% of the time. Which is not all that far off from the recovery achieved from our unencrypted PC's after HDD crashes.
In conclusion having imaged and encrypted hundreds of PC's I would say unless you choose the wrong algorithm don't worry to much about performance issues. The most basic algorithms will stop 99% of common thief's from getting at your data. Of course if your worried about the uncommon ones you may have to weigh protection verses performance.
"The stupid neither forgive nor forget; the naive forgive and forget; the wise forgive but do not forget." -Thomas Szasz
Except that devices that are designed for actual security also measure biological signatures, such as a realistic rate pulse and blood oxygen levels. The gummy bear trick or a photograph isn't going to cut it.
My company has been encrypting everything for some time. We have used Truecrypt with no issues for around 1.5 years I believe. Our linux machines are all encrypted. It's easy to implement with Fedora 9+ and Ubuntu 8.10 alternate installer as Anaconda handles it for you. I also have several encrypted RAID arrays. If you want pm me for a write up on it. I don't want my site getting slashdotted ;) . I'll be happy to give you my how-tos'
Just remember, nothing is 100% secure. Document everything.
As far as performance is concerned. We have noticed no significant impact from disk encryption. Let all the naysayers whine and say I'm full of it. TOP reports that our encryption from cryptsetup consumes about 5% of our procs on our older IBM celerons 2ghz, that's while writing to an array. The array (mdadm) consumes about another 5 %. It consumes around the same on a single core of our new machines. Our new machines, i.e. Core2Duo 2.2's, Xeon Quads 2.13's and an AMD dual core 2.2 you don't even notice it.
Frankly it's so easy to encrypt a system drive these days I am of the mind you are foolish not to do so.
The only downside I have come across with system encryption is that I can't do remote reboots. There is a way around it I've read but it's not really an issue for us. Message me if you want, or can. I never have pm'd anyone here before.
We have many of the same problems where I work in government. I am not sure how the posters work is organized, but I know at least mine seems ass backwards at times. Its a problem of control and responsibility.
I assume at the corporate level they manage our servers and centralized data holdings in a secure fashion with encryption. This also includes some items like individual email stored centrally.
However where I work, everything on your personal computer, which everyone has, is the responsibility of your program, and ultimately the individual to back up.
So in this lunacy you have in some cases triple protected, rotating passwords on systems, yet next to the box is a USB drive that is unsecured, that contains all the data on said system. In a word, stupid.
Part of the problem is the rotating passwords. If you do backup you have to do it manually as when your password changes it will break Microsoft's "Scheduled Tasks" (which requires a password, and it is hardcoded). Centrally they really don't seem to care, as it "is not their problem", that is the users responsibility.
So people being people, and busy at that, most do not back up regularly, and none I know encrypt. Though part of the problem being also that no policy exists that I know of about encryption, which to use, what is acceptable, etc... Franking I don't see IT wanting to create devices they themselves cannot crack as well, which means some kind of backdoor.
Anyway any advice as to product (I hear TrueCrypt mentioned a lot), or a solution to the automation process that doesn't involve A)Super User Privs, or B)Not having pssword changes, as I don't think IT would ever go for either of those. I have looked around online but I have yet to find anything that easily solves this problem. Also changing to Linux is also not an option.. :) I have to work with what I have!
laptops and desktops, sure, but I'd be a bit hesitant about doing this on application servers until I was absolutely sure it wasn't going to cause a nasty performance hit. Furthermore, make sure you've got a very, very good backup strategy first.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
It seems to me that the main problem with recent stupid leaks of large amounts of information from stolen laptops was not so much that the laptop was unsecured, but that the data had no place being on the laptop anyway.
Especially now that you can reach a good network from almost anywhere in the USA, even while traveling along the road. Being able to work on real data from a social security database while flying on an airplane is simply not a reasonable thing to ask.
Can you not start with a core to your network that includes all the encryption you want and then push outwards as you need to.
Maybe set-up a central server or two that users can VPN into using a thin client. Prohibit wholesale copying of data (sure, they can take a screenshot and paste it into powerpoint, or write some information down off of the screen, but forbid file downloads.
Then, for some of your employees, give them a locked-down environment on their PC that has greater access permissions.
The point being, for many users, thin client may suffice and its much easier to protect. And for those for whom it just won't do, you can spend some more time and education on getting them a solution they can work with and make them aware that by and large sensitive data does not belong on a mobile device.
It's not as if you are going to really encrypt everything anyway - you want people to be able to read printouts !
I imagine that you just want to secure data at rest on your central servers and data on the move between the servers and the clients, except in a very few specific cases.
Nullius in verba
Translation:
Unplug all computers and use mental telepathy.
It works
Trust me
---
Translation courtesy of your friends at the NSA
What about your network? If you leave the network unencrypted, you may as well not bother encrypting any of the machines.
You have more success if you set up an isolated/sterile region like North Korea.
Does it go on forever?
You want to encrypt everything across the boards, regardless of level of classification or how many people need to access it.
In essence, that is going to create an environment where everything is as secure as they are on a password protected environment with much more computational overhead.
The reason for this is that there is no classification between what should be encrypted and what shouldn't be encrypted. Those that need uniform access to unspecified, disparate data across the network (i.e. system administrators) are going to need some easy-to-use convention to get access to debug issues.
Either there needs to be some sort of root/administrator access or you are going to destroy the supportability of your systems. Maybe the user just gives his encryption key to the IT help desk on a regular basis... that couldn't be broken through simple social engineering.
Maybe that isn't necessary... maybe there is a feature that allows unauthenticated access to the encrypted data that only your teckies know.
Basically, too much security equals too little usablility. Thus, too much of the wrong security backfires and becomes bypassed because of the need for maintaining usability.
Except that devices that are designed for actual security also measure biological signatures, such as a realistic rate pulse and blood oxygen levels.
Does that include the inexpensive fingerprint scanners on laptops?
Given that retinal scanners are optical I bet one could come up with a hack to fool 'em even if they're doing such a lifesign scan.
Or CLAIMING to do it. In my last few decades I've seen a LOT of "security" stuff that doesn't do anything near what it is hyped to do. (My awakening came when the US government decided to counterfeit its own silver coins with the clad-copper "peanut-butter sandwich" models. Coin accept mechanisms for vending machines were claimed to have an alloy-conductivity test - rolling the coin past a magnet - that you'd have to be more conductive than copper to pass. But they swallowed them just fine with no tuning. Apparently the magnet was really just to catch steel disks and fool the customers.)
When you're talking deployment to all computer-contacting employees of a large company that is not doing highly-classified research for the government you're talking a budget that doesn't cover putting the truly fancy and high-tech devices everywhere.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It sounds like this is a knee-jerk reaction to all those "data-loss" stories. Encrypting *everything* is probably the wrong answer. Start by deciding what the goals are. Then look for the answers that meet those goals in the most cost-effective manner. Security is not a product, its an emergent property of the entire system, including the people who use it. If you don't tackle it in a system-wide manner then you haven't a hope.
* Goals: what are you trying to protect? (Confidential data, presumably).
* How might it leak out? (Lost mobile devices, trashed hard drives, posted CDs, angry/corrupt/public-spirited employees all spring to mind).
* Who does the data have to be shared with? Do they have similar polices? Are they enforced?
* How can you prevent leaks? Depends on the problem. Declaring an "everything encrypted" policy probably won't help much, because you can't stop someone bringing their own unencrypted thumb drive in and stuffing data on to it. Also its not cost-effective to encrypt ordinary applications. Its user data you need to encrypt.
So you have to start with an education job. Get the senior management to see that this policy is not going to fix their problem, then show them something more intelligent.
Windows is probably not capable of supporting a complex security policy. But SE Linux might. If you declared that all mobile devices (laptops, thumb drives, PDAs, mobile phones) must not have sensitive data unencrypted, then put a SE-Linux policy in that divides directories into "sensitive" and "unrestricted", and won't let data move from sensitive to unrestricted without passing through an approved encryption process. That will help stop dumb accidents, but it won't stop deliberate leaks, and it won't stop someone writing the key on a post-it note on the CD.
I don't know how to set up something like this in SE-Linux: you are likely to need a guru for that.
You are lost in a twisty maze of little standards, all different.
As partially stated above - biometrics should be the last item implemented in a multi-factor security solution. Most security deployments would do fine with 2-factor security - something you have and something you know. The third, something you are, should never be done cheaply. It should also never be done in a situation where revocation is a problem. Cheap computer laptop fingerprint scanners are not secure, and people relying on them to be are misinformed or stupid.
So far, the arguments I've seen against biometrics are arguments against bad implementations and inappropriate usage, not biometrics themselves.
There's not much more you have to do. Your solution should be seamless and it doesn't get more seamless than not changing anything (after the requisite kickbacks from some "software company".) Don't forget to mention that the whole thing is behind schedule. They will smell a rat if it rolls out on time.
When you've got the Emperors New Encryption up and running, let them know they can test it.
That is not true. See http://en.wikipedia.org/wiki/Disk_encryption_theory#CBC-based_approaches
While partial encryption strategies for sensitive data may be a good idea, whole-disk-encryption is largely a bad idea. Most users don't really need to encrypt stuff like temporary files, os files, program files etc. It's just the sensitive user-created stuff that may need protection.
Especially, some researchers have found that whole-disk-encryption is fairly easy broken (pure software solution) for any machine that has had it's keys in ram (not wiped) up to the last 5 minutes or so. (I.e. in ACPI Standby).
http://news.cnet.com/8301-13578_3-9876060-38.html
http://www.itpro.co.uk/170304/disk-encryption-easily-defeated-research-shows
I go with similar suggestion as some others here mentioned, focus security on home-directories, possibly removable media (although be careful about user education, ALL removable media should of course not be encrypted). Above all, focus on a strong practice and security around putting stuff in networked storage. That can also help keeping backups, versioning and have other positive side-effects.
Or is there another use for encryption ?
You can use drugs and a wrench on a few people. You can't do it to a couple hundred million people. When someone drugs you and hits you with a wrench, you know it happened. Try it on a massive scale and the public will find out and grab wrenches of their own.
That is why hard-to-crack encryption is still incredibly useful. It allows you to deny the enemy the option of attacking undetected.
And that just happens to be a very credible threat. Massive passive surveillance used to be a paranoid imagination by crypto-nerds, but now it's something we've been hearing about in the mainstream news over the last 3 years.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
My daughter came home from school with an assignment in her computer class. They were going to be learning Powerpoint; she needed to bring in some pictures that she could use in her presentation.
We pulled up the PC, grabbed a stack of photos off the media server, plopped in a blank cd, and--
"No!" my daughter blurts. "I can't do that. We aren't allowed to do that."
Turns out the school has a policy that no foreign media can be loaded into a school PC. Blink. Blink. I guess that is some crazy attempt to keep all the Windows PCs in the lab from getting infected (more than they already do).
"So how are you supposed to load these pictures into your presentation?" I ask.
"Teacher said to email them to her."
"How will they get into your presentation?"
"Teacher's computer is on the school network, so she can copy them from her email into our folders."
====
My point: teacher's harddrive is encrypted, but teacher's email isn't. Nor is teacher's usb slot, DVD drive, internet connection. Your definition of "total encryption" is inadequate. You are spending a lot of time, money, and effort on a fallacy. Copying an encrypted drive is very, very easy.
In an effort to encrypt several thousand PCs and other devices, the master keys will leak like crazy. They will probably be written on the same piece of tape with the password that is attached to the bottom of the laptop.
Thieves will probably require more time deciphering the user's abysmal filesystem organization than they will to decrypt the harddrive.
And as for the db server... If someone managed to steal it without the encryption key, they probably weren't smart enough to decipher the schema anyway.
I understand your point, but you're making it against the wrong thing. Whole-disk encryption done correctly does not get in anyone's way, and does not require working around. Losing a notebook on a trip, or having it stolen from your car while shopping is very easy to do. If someone steals my notebook, they can't get any company data out of it - best they can do is reformat it and have a free notebook.
I don't have to remember to encrypt something, or erase something - it's all done for me, with no interaction. This *is* what you need to secure. Anyone who makes the security decision not to safeguard something that can be carried by one person, using transparent encryption, should reconsider their career.
Sure someone who wants the information can hold me a gunpoint and get the password, but how often does that happen vs. a random burglary or lost item? Are these PCs that don't get taken on a trip? Think you don't need encryption because they won't leave the building? You'd be surprised where your missing inventory winds up. I know we were.
be sure to encrypt all output to the monitor, most people forget about this hole. otherwise you are just leaving you data wide open for anybody to see.
The bald guy with the coffee cup is named "Wally" -- don't expect him to get any work done. Don't piss off the lady named Alice -- she turns violent at times. Dilbert would be a nice guy for your sister to marry, but it's not going to happen. Steer clear of HR entirely. And, oh yes, it's not polite to mention your boss's pointy hair to him.
This has "IT Strategy by Partly Comprehended Magazine Article" written all over it.
Whole disk encryption buys you security from people who steal your computer hardware. It does NOT buy you security from malware, since the disk is encrypted transparently, any process running as the user can read and write the data. You need to look at the whole picture here. Do you need to encrypt the whole drive, or do you need to encrypt the sensitive data and modify the programs that read and write that data to use encryption. If the user is running windows, and running as an admin (as most people do), any worm or trojan could read and stream the data from this computer to a server offsite. If encryption is built into your software, then they can only get at the data via the software.
We produce encryption software that does this very thing for some banks. The data is encrypted on disk, and our software can decrypt it, but the disk is not whole disk encrypted for the reasons listed above.
Whole Disk Encryption seems like the answer to your prayers, but it can be one part security theatre if the primary threat comes from within rather the computer, rather than from the theft of that computer.
To my knowledge, there is no FIPS-certified fingerprint device on the market. They offer no substantive value to a security solution.
If someone is pitching fingerprint readers, run away.
Conformity is the jailer of freedom and enemy of growth. -JFK
Is there anyway to keep things safe while on screen (e.g. from key loggers, etc)?
Many corporate execs seem to think that whole-disk encryption alone will save their butts in case their laptop ever gets stolen. They use it as a kind of insurance against carelessness. Not quite.
It's worth noting that encryption by itself does not stop a data breach from happening. It only mitigates the short-term consequences. To truly protect your company, you still need a full-service security deployment, and all the inconveniences that come with it.
Once the data has left your hands, encrypted or not, the damage has been done and there's nothing you can do to stop it. A bad guy could copy it, keep it on the shelf, and wait 15 years until we have quantum computers that can break RSA. Then he knows all your old secrets which could still be very damaging 15 years later.
A few months ago, someone stole a local hospital's backup tapes from a courier van. Although the tapes were properly encrypted, the hospital still freaked out about it, with good reason. They even paid for credit monitoring for everyone on the tapes. Once the cops recovered the stolen tapes, they sent them to the FBI to assess whether the tapes had been accessed by the thief.
Whatever you do, prior to the moment you encrypt the first partition, have in place a policy for cryptographic rotation and key retention. The last thing you need is to have one of your key persons leave for greener pastures leaving behind all their data and none of their keys.
In order to be effective the policy for key storage must be one that there is no exception to, period, nada. Changes yes. Exception no. Then figure out a secure way to retain the keys the prohibits rouge usage.
Finally figure out how you will go about a full key change. What happens if Joe leaves in a less than polite manor (he got his butt canned for cause) and this individual may have copies of the keys. How do you rotate, what gets rotated first etc. Cover your butt when it comes to data destruction as well. The more effort you put into planning, the more likely you are to keep all of your data usable.
I'm sorry, I'm to tired to be witty at the moment so this message will have to do.
If you're already using UNIX file servers then i wouldn't force clients to encrypt. I would simply enforce the use of VPNs and file servers for sensitive information and sharing, while using GEOM ELI to have transparent disk encryption on the UNIX file servers.
http://diskcryptor.net/index.php/Downloads Proper GPL license, not that strange truecrypt one.
Read the source and compile it for yourself if you don't trust it. Asshole.
.sig: No such file or directory
After receiving such a rep[y I would make sure to remind the CTO (or the Queen of Sheba, I don't care how important somebody is if what I am trying to do is the right thing to do) that he may be legally obliged to keep the information safe.
That brings back the money to implement the necessary security upgrades.
Make it personal, it never fails.
IANAL but write like a drunk one.
If an employee dies of a heart attack all your sensitive information is stored centrally.
Laptops should not be more than thin clients nowadays, whose only purpose is to access data over an encrypted link to your corporate servers.
Any information stored in a laptop should not be vital or even important to the running of any firm.
IANAL but write like a drunk one.
They are delivered by electronic tokens or even by SMS to your mobile.
IANAL but write like a drunk one.
Parent called twitter an asshole. Should be insightful, not troll.
If you are at an institution, you need ass covering in your decision. Especially if you use a Windows desktop. We use Safeboot. I'm at a Fed Bureau that is famous. Safeboot even allows admins to recover the password if the user forgets it. They will forget it by the way. Many users are as dumb as a box of rocks. Sometimes I think even dumber.
Go with FOSS if you dare, my advice is to get a company behind it. That way when it is compromised, they can't criticize your decision. In some cases you may be obligated by law. Check with your legal department. It is also a good idea to consult with a security professional. If something hits the fan, you don't want to seem like an idiot.
You're right of course.
All joking aside, the underlying point is how easy it is to "extract" a password from a person or organization, by means both violent and non-. In the average company, they're written down all over the place. Especially if "password strength" or "freshness" rules have been enabled and thus have made passwords more difficult to remember.
I believe this is why, given the complexity, risks, and performance penalties involved in full-disk encryption, most companies opt for hardware-level locks instead.
For instance, in any Thinkpad from the last decade, one sets the hard disk password. No actual encryption is performed on the platter, but the hard drive firmware will simply refuse to initialize without the password. Simply removing the various batteries will not work. Its beyond the means of all but a very few to read data off of a platter without the assistance of the drive electronics. So in practice this security measure is enough to stymie almost anyone but an organized, well-funded, and technically skilled attacker. Beating the lock involves destruction of the drive, so he/she will be interested in data, rather than a quick sale on the black market. The same type who would find it relatively easy to find an encryption key, by any number of means (usually not needing to resort to wrenches :).
At the same time, this method is available off the shelf, has no performance penalties, no additional risks to data loss, etc.
Google reveals brisk forum traffic by frustrated laptop thieves who would like to unbrick quantities of certain unfortunately locked hard drives. I would even speculate the prevalence of HD locks has deterred laptop theft overall (at least, of certain brands where the lock is commonly used, i.e. Thinkpads vs. Macbooks).
Believe it or not, I'm not really advocating taking fewer security measures. In fact, I hope ultimately we do make strong encryption commonplace. Ideally the drive manufacturers will support it with dedicated hardware as a value add. I suspect the primary reason this hasn't been done already is politics. I'm only saying that, sadly, it provides a great false sense of security. Without being accompanied by elaborate and harrowing human practices today practiced only by organized crime and certain branches of the government, full drive encryption does relatively little more for your data security than simply enabling the HD lock in your BIOS.
Tired of Political Trolls? Opt Out!
Only free software should be trusted.
Truecrypt is free-as-in-beer. Ok, so it may not be free-as-in-speech. So what? I just want to use it, why should I care? As long as it's open source, I can take the time and read the source and make sure it really does what it says and does it well.
oh, btw, hello twitter.
.sig: No such file or directory
so as to scare off users!
Are you writing a competing application of your own?
I think the policy should be revaluated and analyzed instead trying to encrypt everything. Maybe doors' security, a sound message when someone left a USB connected, a policy for what kind of information should be encrypted, log access to the information... But if the cost/benefit of encrypting the hole house is worth, do it.
Seems to be the way Micro$oft encrypts things.
Or use Greek like SCO.
perhaps even informative?
I'm not a crypt nerd, but what reading I've done suggests that having the same plaintext encrypted with two different keys out of the same system can give you a lot of information about both keys. And that if you KNOW the plaintext, then you have even more information about the keys.
If you encrypt the entire disk, do you also automatically move, shuffle, and frag the OS files? That should be good for a 20% slowdown.
Roll out 1000 laptops. You use some form of imaging tool to do this. foo.dll starts at the same location on each disk.
Steal two laptops, now I have foo.dll encrypted with two keys from the same system. And I now have the plaintext and encrypted version of some text. Further, I can get copies of the (several) forms of foo.dll from MicroSloth.
And if they do move the files around a bit, starting off with a million starting locations (assuming cluster boundaries) is a much smaller start set than brute force, yes? (Does truecrypt and it's ilk pad the front of a file with random cruft to discourage this form of attack?
And aren't the first few sectors of a disk in a pretty rigid format?
It seems to me that to develop a secure system you want to minimize having known standard files encrypted multiple times with the same system.
Which in turn means if you are working with winsnooze, you have to keep it from scrawling your data all over C:\.
I can see two ways to accomplish this with current technology. Doubtless there are more using techniques I'm not aware of.
1. Have an OS and a Data partition. Only the data partition is encrypted. Beat on the OS so that it uses the data partition for temp files, for the user's registry hive.
2. Run the secure environment in something like VirtualBox. The OS is booted from an immutable disk. Changes don't survive a reboot of the VM. Add a file shredder function tot he host system to remove the temporary files. The data disk is also a virtual disk, that is encrypted by the guest operating system.
The existence of the temporary files while the VM is running is still a hazard, but not as great as the temp files and swap files in windows. With a unix host file recovery is somewhat iffier to start with. But since VB is semi-open source adding a feature to generate a random key and encrypt the temporary file should be fairly easy. This key does not have to be known to the user: It changes with every boot of the virtual machine. Now if you can write a windows program that automatically logs the user out when the laptop is closed, or the face disappears from in front of the camera...
Third Career: Tree Farmer Second Career: Computer Geek First Career: Teacher, Outdoor Instructor, Photographer.