Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To, When You Have To Encrypt Absolutely Everything?

Posted by ScuttleMonkey on from the first-step-is-teaching-people-how-not-to-be-stupid dept.

Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"

14 of 468 comments (clear)

  1. TrueCrypt or Wait for On Drive Upgrades by eldavojohn · · Score: 5, Informative

    I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives ...

    I think you're going to find most people advising you to choose TrueCrypt which boasts:

    I think they're on version 6.1a and I have been impressed with them. You may want to try benchmarking the various encryption algorithms it offers.

    ... but i am concerned about overhead and speed penalties.

    Aren't we all. I mean, no one wants an Office Space like scenario where every day before you leave you have to wait for the damn little bar to cross the screen to save your progress for the day. You have another option which is to wait until the drive manufacturers build all that into the hardware's firmware so that it is as fast as they can make it.

    I wouldn't recommend waiting that long, however.

    Here's my formal suggestion: do a small test on a few users or even a few devices no one depends on, some USB drives, etc. Use them yourself and see what kind of overhead (for both user and device) we're talking about here. Then weigh that with how much comfort you get with universally encrypting everything. If A is greater than B (with a sinister sounding name like 'Dark Neuron' who knows?), draft up a plan. Otherwise, just wait until you have the funds to upgrade the hard drives to those with the built in encryption.

    I do not know for certain but I do not believe there is a painless push-across-the-network way to do this ... I also would feel very uneasy if someone assured me they had a method to do that. Drive encryption is one of those seemingly trivial but necessary reasons why companies have many system administrators and not some automagical solution.

    --
    My work here is dung.
    1. Re:TrueCrypt or Wait for On Drive Upgrades by Shadow-isoHunt · · Score: 4, Informative

      TrueCrypt isn't without it's bugs. Both 5.1a and 6.0a have cost me two windows installs(one Win2k3, one Win XP pro), which couldn't be recovered with the recovery disk. 6.1a won't even install on my Inspiron 9400, giving me a "memory parity error" on the initial reboot test for full drive encryption. If you want something to trust your data to, truecrypt is not that program(yet).

      --
      www.isoHunt.com
    2. Re:TrueCrypt or Wait for On Drive Upgrades by trifish · · Score: 4, Informative

      Yes, and as the OP was asking for "real-life" benchmarks, here they are. Tom's Hardware benchmarked TrueCrypt thoroughly and found practically no overhead.

      http://www.tomshardware.com/reviews/truecrypt-security-hdd,2125.html

    3. Re:TrueCrypt or Wait for On Drive Upgrades by pavon · · Score: 4, Informative

      You can encrypt your key with a password (I'm sure truecrypt supports this) but then you might as well just have used a password in the first place instead of encryption.

      WTF? If someone steals a computer and puts a drive in another computer the windows/BIOS password won't do shit, encryption will.

      What you do is store sensitive material on secure servers and have people check out copies of material that they have access to. I'm sure keeping sensitive data off local hard drives would be easier than actually protecting all those hard drives.

      No it won't. If they need to use the data then it will be cached on their computer whether it is stored centrally or not. And if they weren't using the data then it wouldn't have been on the computer to begin with. Centralization will only help if you move from thick-client to a thin-client-like processing of data. That will limit the amount of distribution of sensitive manner - "checking data out" won't.

    4. Re:TrueCrypt or Wait for On Drive Upgrades by PotatoFarmer · · Score: 4, Informative

      What you do is store sensitive material on secure servers and have people check out copies of material that they have access to. I'm sure keeping sensitive data off local hard drives would be easier than actually protecting all those hard drives.

      I'm not so sure about that. The deal with whole disk encryption is that it's fail-safe; it doesn't matter if something bad happens, the data is stored in a secure state by default. A check-out model doesn't give you that.

      Also, speaking from experience, it's incredibly difficult to get end users to even understand what sensitive data is, much less train them how to work with it in a secure manner. Any security model that relies upon educated (and diligent) users is probably going to fail sooner rather than later.

    5. Re:TrueCrypt or Wait for On Drive Upgrades by Zerth · · Score: 4, Informative

      If the pagefile is located on the encrypted volume, not much harm, might make cryptanalysis easier if someone can get two images of your drive at different times.

      If the pagefile is not on the encrypted volume, then it is leaving chunks of no-longer-secure data for anyone to see.

    6. Re:TrueCrypt or Wait for On Drive Upgrades by TheCabal · · Score: 5, Informative

      A simple perusal of their website reveals:

      Q: We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?

      A: Yes. Note that there is no "back door" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header).

      Similarly, you can reset a pre-boot authentication password. To create a backup of the master key data (that will be stored on a TrueCrypt Rescue Disk and encrypted with your administrator password), select 'System' > 'Create Rescue Disk'. To set a user pre-boot authentication password, select 'System' > 'Change Password'. To restore your administrator password, boot the TrueCrypt Rescue Disk, select 'Repair Options' > 'Restore key data' and enter your administrator password.
      Note: It is not required to burn each TrueCrypt Rescue Disk ISO image to a CD/DVD. You can maintain a central repository of ISO images for all workstations (rather than a repository of CDs/DVDs). For more information see the section Command Line Usage (option /noisocheck).

      Seriously, a little research isn't hard.

    7. Re:TrueCrypt or Wait for On Drive Upgrades by Score+Whore · · Score: 4, Informative

      The post you reply to is written by a numbskull. Compiling software doesn't even begin to ensure that all possible memory locations accessed and bit values are written. The vast majority of what is going on during a compile and/or md5 sum is going to happen in the processor's L1 & L2 caches.

      On the other hand memtest86(+) has a methodology that includes disabling cache and ensures that all possible locations are written to and read from. Additionally there is a mixture of patterns used, from random patterns for general testing to specific patterns (both bit value & access ordering) for exercising known failure modes of DRAM.

      Finally the idea that you can "stress" you RAM is nuts. Outside of running the device out of spec (e.g. overclocking), the only "stress" possible is heat and just being on will get it into the normal operating temperatures. Anything else is what it's designed to do, there is no ubermagic access pattern driven by that "well known" gcc that causes DRAM to fall over dead.

  2. Re:Yeah... by quickOnTheUptake · · Score: 5, Informative

    I've heard that full fs encryption on higher end computers has a negligible performance impact (cpu can generally keep up with the hdd) but on lower end machines esp. netbooks, the performance impact can be appreciable. Here is an article with benchmarks

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  3. Re:Yeah... by Vancorps · · Score: 4, Informative

    I can't tell, are you joking? With all the sarcasm around Slashdot it's sometimes difficult to tell if someone is being snarky.

    The scenario you mention wouldn't happen unless a half-baked encryption scheme was used. HP, RSA, IBM, and even Truecrypt all have recovery options ranging in levels of difficulty to implement. RSA's key management tools are quite handy but you definitely pay a premium for them. HP's are clunky like all HP software, IBM has been doing it for years but again you pay and arm and a leg.

    With Truecrypt you create two to three thumbdrives when you do the initial encryption, two of them store the master encryption key and the third has whatever key is needed for authentication depending on how you want to deploy it. The only fault I have with Truecrypt is that there are a dozen ways to deploy it so you have to read and plan very carefully before deploying it on any level.

    Once you have your flash disk you copy its contents to an encrypted folder on your SAN somewhere and keep the flash drive in a properly fire-proof safe. One flash drive has the keys for over a hundred machines with room for plenty more, keeping two copies ensures that a flash drive dying won't leave your data inaccessible during transport to the server and should the SAN experience some sort of data loss you can go back to the flash drive to recover keys.

    Encryption is pretty scary as your keys are extremely important as you mention, once the key is lost then so is the data. So you take a few precautions ahead of time and then you don't need to worry.

  4. You're still missing the point. by Estanislao+Mart�nez · · Score: 5, Informative

    Hard drive encryption isn't meant to protect against social engineering attacks. It's meant to protect against attacks that don't require social engineering, like stealing or cloning a database server's drives for the information. More than anything, it's meant to provide reasonable assurance that if one of your employees' computers gets stolen by a common thief who just wants to sell it for the cash value, somebody else down the line won't be able to read the data in the drive and take advantage of it.

    --

    Are you adequate?

  5. Re:Theory vs. Reality - Seriously by SpottedKuh · · Score: 5, Informative

    The point of the comic is that there's no *practical* difference between, say, 128-bit encryption and 4096-bit encryption [...]

    There's a huge difference. When you see numbers like "128-bit," you're dealing with a symmetric encryption algorithm (e.g., AES). When you see numbers like "4096-bit," you're dealing with an asymmetric algorithm (e.g., RSA).

    See the NIST Recommendation for Key Management (PDF), page 63. For example, to get RSA that is "equivalently" secure (for some predicted meaning of equivalent) to AES-128, you need a 3072-bit key. The table is explained on page 62.

    As an aside, the comparably small key sizes that asymmetric elliptic curve cryptograph (ECC) can use, illustrated on page 63, are one of the reasons that ECC is so valuable.

  6. Re:TrueCrypt by Panaflex · · Score: 4, Informative

    Nobody deals with that, for the moment. I don't think the hardware solutions deal with that for every case, either.

    I've heard of some possible solutions being thrown out there - including a CPU "disabled cache"-type software solutions - but there's nothing being sold yet.

    --
    I said no... but I missed and it came out yes.
  7. Re:TrueCrypt by rduke15 · · Score: 4, Informative

    TrueCrypt has several options. The way I have it configured, the TC volume is automatically unmounted when I suspend, and I need to re-mount it when the notebook wakes back.

    I understand the password is not in RAM anymore after a suspend. These are the options I use:

    "SaveVolumeHistory" = 0
    "CachePasswords" = 0
    "WipePasswordCacheOnExit" = 1
    "WipeCacheOnAutoDismount" = 1
    "StartOnLogon" = 0
    "MountDevicesOnLogon" = 0
    "MountFavoritesOnLogon" = 0
    "DismountOnLogOff" = 1
    "DismountOnPowerSaving" = 1
    "DismountOnScreenSaver" = 0
    "ForceAutoDismount" = 1