Slashdot Mirror
How To, When You Have To Encrypt Absolutely Everything?
Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"
Don't do it.
A subtle balance between encrypting most essentials and leaving non-essentials unencrypted. For example, you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.
Also, watch how external USB keys are encrypted. if you deal with clients and offer loaner machines, their USB drives could become encrypted and useless when they return to their own office.
I'm all for encrypting, however hopefully the higher ups also consider the potential performance hits and liability issues.
"Security" that gets in people's way is a security threat, because people will find a way to work around it, and be worse off because of it. Never try to lock down everything, or you'll have no control over what is compromised. Figure out what you really need to secure, and lock that down. Really. Trying to secure everything is a sure sign that someone lacks the knowledge to make security decisions.
Encryption is easy. Password distribution and protection is hard.
Have you worked out a complete plan for key management for all these encrypted devices?
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
What's your key management strategy?
You want TrueCrypt.
It's probably better than a hardware solution. They keep screwing up and snake-oiling the hardware ones, but you can audit TrueCrypt (and people have), and pre-boot authenticated system drive encryption is pretty much what you want.
As for speed... I don't know what you're worried about. AES-256-XTS (best-in-breed, the new standard, which TrueCrypt pioneered and uses) runs at over 150MB/sec in benchmark, and that's on one core. Your hard disk very probably doesn't run that fast.
All our machines are encrypted using similar means, and we've never experienced any problems with performance.
PGP's Whole Disk Encryption isn't as good - that kept stalling in kernel mode under XP, causing hiccups on lots of disk accesses; and eventually the driver bluescreened on every boot and there was absolutely no way we could get it back, which lost us terabytes of data... but TrueCrypt has caused us no such problems, and costs nothing. (If it worked with the leftover eTokens from our earlier PGP deployment, it'd be perfect.)
I see this all the time and it always makes me cringe.
If you treat all data the same, it is impossible to convince users to treat any data differently from any other, and they will all default to "Sloppy", and you won't care because you'll be certain that the encryption is going to save your ass.
It is a much much better idea to have a very distinct line between secure and insecure, so that people have that distinction hammered into their heads every time they touch secure data. Otherwise, someone is going to get sloppy with their private key, and you're going to get exploited and never see it coming.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
That comic has been making the rounds. It's cute, but not applicable.
If the submitter is in an organization with thousands of machines, the notion that any user will be required to keep their password confidential in the face of torture is laughable. That's for specially trained operatives, soldiers, and other assorted heroes. Those of us in the normal world will probably adopt a more rationale perspective. If someone were crazy enough to steal one of our laptops, simultaneously snatch the user, and threaten them with torture, our folks know to give up all passwords, immediately. We're only required to keep data confidential where it is reasonable to do so. When floods sweep away your car, wave goodbye to your laptop in the trunk. When someone threatens you physically, tell 'em what they want to hear.
Our people are more important than our data. Our people are more important than the publics data. If we lose a chunk of data, we have ways to reconstruct what was lost and mitigate damage. If we lose an employee, there is no way to achieve a good outcome.
Reasonable?
OK, delay and stall as much as possible while you get your resume shopped around and get a new job lined up.
Then quit.
This kind of silliness is (a)stupid, (b)pointless, and (c)doomed. Anyone who claims otherwise is wrong. (And no, I'm not opinionated at all! :-)
Fundamentally, this will fail because it's a blanket policy on dissimilar environments: All hardware is not equal, and all software is not equal. Portable gear should NOT be treated the same as fixed equipment. Sensitive customer data should NOT be treated the same as OS files. Throwing everything together under one usage policy comes from not understanding ANY of computers, data, or security.
Get out. Run while you can!
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
then you might as well just have used a password in the first place instead of encryption.
You, sir, are a fucking moron. Please stop posting and do some research before spouting off nonsense.
Oh. Well THAT sounds like a plus.
caritj.org
No. Let me explain to you how this works, with a story link.
Companies are storing more, and more, and more, and more, and more information. About their customers, about their suppliers, about themselves, about employees, about employees friends, about customers friends, about customers employees, etc , etc, etc. It's like a Panopticon Party, and everyone with a datacentre is invited. With hard disc space costs plummeting, processor power rising, and networked recorders becoming ubiquitous, companies and managers everywhere have succumbed to the data deluge, and have meticulously stored and categorized every last bit they can lay their hands on. (For what purpose is a question for another day).
The result. Exabytes of data sitting idle on servers, unencrypted, waiting to to stolen. Predictably it is, usually with nothing more than a USB key, or USB hard disc. The people who pay for such illicit data presumably want it all for something. If the data was even encrypted in the most basic fashion, most of the constant data breaches we here about would never have occurred.
Companies have two options. First, stop gathering and storing this data. That will never happen. Most compaines are data junkies by this point. Secondly; Encrypt, Everything. Everything. Any unencrypted portion of your network is a data breach waiting to happen. Even the slightest crack is a PR disaster waiting to happen. I don't care if its a telnet client on a headless offline BSD system, sitting in a securely locked room in the basement. Someone WILL find a way to lose data using it.
I applaud the submitters goal. It is a worthy one, and is likely the only real thing standing between your credit card number and a fraudsters ebay login page. More power to them.
May the Maths Be with you!
I see this directive a lot. It boils down to "We don't know where our sensitive data is, or don't trust our employees to keep it where it should be, so we're encrypting everything!".
Most of the time when I see this, it's because the person making the directive is responsible for security in some manner but has no experience with risk management and mitigation, so they go for the "all out, definitely safe!" shotgun solution. The problem is there's no such thing!
What risks are you actually attempting to mitigate through encrypting everything, and are you aware of the risks you are creating? These are questions the person who made the directive should be able to answer! For instance, if you are trying to mitigate the "PII/Lost Laptop" risk, why not implement drive encryption on laptops only, and buy USB sticks (such as Ironkey) which guarantee the encryption? If you're trying to stop a malicious insider, no amount of encryption will save you if they've been given the key.
Finally as others suggested, what's your key management and password management strategy? I -love- truecrypt but I wouldn't suggest it for a whole enterprise without being able to answer the question "How do I recover the key to this workstation when the employee dies unexpectedly of a heart attack?".
Best of luck in your endeavor but remember this rule: When it comes to implementing security, NEVER BE AFRAID TO ASK MORE QUESTIONS - especially about requirements.
When people check data out though, it has to get stored somewhere. That somewhere might be a local disk, or a USB stick, etc. So those places need to be encrypted if you want to protect against lost/theft.
Your server can be sufficiently protected (physically and virtually) that it does not need the drives encrypted - encryption does not protect against over-the-wire attacks anyways. While it is probably unreasonable to protect EVERY pc from being stolen, it is not unreasonable to protect servers from being stolen - eg, an alarm that goes off way before anyone gets near the server room. 24/7 guards, if you can afford it, etc.
Speak before you think
I've used these products for a long time. (There are others; look around.) I suggest you phase 'em in over the next three years, by which time you'll have replaced everything. After all, you already have a budget for replacing all hardware over the next few years, right? Beyond that, remote, enterprise-quality tools for managing this hardware can be *very* pricey add-ons, but if you build your work processes right, there may be little or no need for them.
That just leaves writing to CDs/DVDs. There are open-source packages such as TrueCrypt. If you're already running WinZip, it'll do the same for removable media, allowing your users to set a specific password for that write then sneakernet the disk wherever it needs to go. If you want to force all writes to optical media to be encrypted, you'll need to look at something like GuardianEdge Removable for a commercial app or something inventive if you must go open-source.
One last thought: If your data is so important, so valuable, or so legally regulated that you must encrypt *everything*, then you have the money to go open-source, commercial, or whatever works. I see no justification in the submitted question for limiting the choice to open-source software. If you *have* to do this, you *have* to do it right, no matter the cost. If your big guys say they can't afford the cost, then they don't *have* to do it.
6.1a won't even install on my Inspiron 9400, giving me a "memory parity error" on the initial reboot test for full drive encryption.
Have you run memtest86+ and let it go for at least two full tests? Could be one of your sticks is bad.
Posts not to be taken literally. Almost everything is sarcasm.
I second the opinion of the first poster who recommended you wait, for several reasons.
First, most methods of encryption are a pain in the butt. If you want to encrypt only some data, then yes I would say Truecrypt. But then it has to be manually un-encrypted before use.
If you want to encrypt whole drives, your network, everything, and have it work transparently, you are in for a headache combined with a nightmare. Headache because getting it set up and working is a major project fraught with problems. Nightmare because you will lose whole drives worth of data when something goes wrong, unless you have a very serious, robust, and reliable backup scheme that you use often.
However, drive manufacturers will be coming out soon with new drives that incorporate DES encryption via hardware. This eliminates the delays and problems with software encryption, and will go a very long way toward making whole-network encryption a lot more practical.
Try keeping a believable pulse, complete with oxygenated blood, going in a removed eyeball.
Try replacing your eyeball, once I've made a functional duplicate, and published the design online.
-1 Uncomfortable Truth
TrueCrypt in an enterprise? Hahaha!
What happens when somebody loses their password or keyfile? Or you get an subpoena for a laptop or usb key's content?
There are these things you may have heard of, once or twice, but probably don't use based on your comment.
They're called 'backups'. You know, the things you use if somebody drops the laptop while the disk is in use and the heads remove the surface of the platters, or the drive decides it just doesn't want to spin up anymore, or any number of situations.
Start with the laptops, those are your biggest risk area, with the most probability for loss.
Once you have gained experience there, then roll out a major desktop solution.
Finally do something on your servers, those are the ones with the best physical security already. Usually behind a locked door and bolted down to racks.
In the meantime, if you really care about security, hire someone that can lock down all your infrastructure from intrusion via the network. Empower them to fix your network.
Most of these data breaches come from insiders downloading data to their computers, followed by someone getting access through the bosses computer and leveraging that to get at all the data files.
My company has been running all the machines that aren't at our data center encrypted, starting around August of 2007. On my laptop I honestly just have not noticed the overhead of encryption more than once or twice in that time. When I started it was on a 1.8GHz Pentium M box, so it's even less of a concern with my 2.5GHz Core 2 Duo.
As I said, it's worked out so well that it's now the standard setup on our laptops. The Eee's my wife and I got last week are running encrypted partitions as well.
Before I started, I was worried about the overhead of the encryption, but I was really worried for no reason. I've almost never noticed it, and none of the other folks in my organization complain about it either.
We are using the Linux encryption stuff running under LVM, so our swap is encrypted as well. Everything but /boot is encrypted. We are using "cryptsetup" (dm_crypt) (built into the Ubuntu Hardy and up "alt" installer and Fedora 10 and up). I'd recommend that for the Linux side.
I've heard good things about TruCrypt, but haven't used it. We don't use Windows or Mac, so the stuff that's built into Linux is our preference.
The dm_crypt stuff includes "LUKS", which allows you to have multiple keys for accessing the data. So you'd probably want to set up a "user key" and "company key" for each system, and if the user forgets their key someone can check out the company key and set a new user key.
So, in that way you don't need to worry about the user forgetting their password.
Also, you still need to have good backups of the file-systems, so if someone does forget their data you can at worst case recover from the most recent backup.
So the worry of losing keys is a no-op. If you don't have good backups, check out backuppc. I've been very impressed with it.
Finally, as far as the other poster saying that it's a "shotgun" approach for people who are too lazy to identify their important data... Do you also try to back up only your most important data? What if someone adds a new important data?
I started with only encrypting a part of the system (because full system encryption was difficult to achieve in older Linux releases). The problem is with leakage. As with backups, it's more provably correct to cover more data rather than less.
This is why for backups I only do exclusions instead of listing the data I want to back up. That way if more data gets added, I have to explicitly exclude it for it not to be backed up.
The same thing applies to crypto. Ok, so you encrypt your sensitive data. Do you have updatedb running? Or beagle? If someone looks at the "locate" database of all the files on your system, will that expose something you didn't want exposed? Like the list of your clients? It would for ours, because our document repository has useful file-names. Similar for the beagle database.
What are you leaking that you didn't intend to be?
Just encrypt the whole damn thing.
Sean
memtest86 may be the "hello world" of stress tests, it's true.
I'd like to spew my first slashdot car analogy:
If you run memtest, it might be said that you're doing the equivalent of kicking the tires of your vehicle. However... If the wheels fall off when you kick them, it's a good indication you need new ones. It may not be an "uber stress test" but it is a good way to give it a once-over, doesn't require one to even know what "compile" means, let alone wanting to generate md5 sums to "really thrash your RAM", and can be accomplished in an hour or so, rather than days. Besides, it comes on most LiveCD distros, and is therefore easily accessible to most "normal" people.
In other words, I'm glad you have a good super-duper stress test for your memory, but for those of us who have a life instead of a CS degree, memtest86 is good enough.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
Truecrypt is not the solution your looking for. For starters, management won't by into it because Truecrypt does not have key escrow. Nor does it have any sort of auditing or compliance features, which will be vital in a corporate setting. (For ill or good is a manner of opinion, but the reality is reliable reporting is the key between having a stolen laptop be reported as a property loss, or having to spend thousands on investigating what data was on the laptop, and if there is any chance that PII was on the device, sending out warnings.)
Which means that you'll have to look into other products. Everything is expensive, to varying degrees of expensive. Some solutions are:
Both products work with Seagates Momentous FDE.3 drives, and will software encrypt non FDE drives.
McAfee also offers the ability to lock out USB devices from running on computers (as does a product called Sanctuary, but if you go McAfee, just bite the bullet and use one provider)
As far as speed differences: The Seagate FDE (a SATA drive) on my laptop (A Dell D620 (1.8Ghz)) is faster, even with the WinMagic management software installed then the (unencrypted) PATA drive on my Dell GX620 (A 3.0ghz Pentium D) In general you can expect a 10-15% performance decrease with software encryption. How much this effects the user will depend on what they do. The only real way to know is to test.
If you don't ever want to discover that your data is inaccessible, you have to think about whether or not you'll let individual users set any encryption passwords, and how to make sure there's always more than one person who knows any given encryption passwords, and whether or not you'll let all the people who may know a given password get on the same airplane. Because if someone forgets, gets hit by a bus, gets pissed off at the company, etc., you may just find some data just became inaccessible...
laptops and desktops, sure, but I'd be a bit hesitant about doing this on application servers until I was absolutely sure it wasn't going to cause a nasty performance hit. Furthermore, make sure you've got a very, very good backup strategy first.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I work at a University with a Hospital attached to it:
What are you trying to protect?
Most likely personal identifiable information or personal health information. Could be anything from student records to social security numbers. Protected under state law and HIPAA.
From what? What attacks? What value does it have to the attacker? What value does the secret hold to you? Who are the attackers?
Most likely from loss or theft. The value of that information is 99% zero but our dear government has requested that all such loss is reported and all those people be informed and given compensation. Mostly it's frothing of the mouth over 'they lost my information, now my identity is stolen' which the media likes to amplify. Usually it's the image of the school/hospital/entity that has to be protected. By encrypting they don't have to disclose or pay anything.
For example if the value of the secret is low to you, then spending money on protecting it is a waste. Encryption costs to buy, costs to run, costs to manage keys, costs in convenience. eg. (Most secrets aren't worth a trip across town because you forgot your keys once)
Yes, implementing a freaking department to handle it and spending $1m on an all-covering solution is very wasteful. But it has to be done, the big wigs think it's absolutely necessary since some vendor or lawyer has told them. It also increases budgets and manpower in IT so they don't complain either.
If the attackers are internal, (they usually are), then encryption buys you nothing.
Yes, because the encryption doesn't work on your home computer (although you have licenses for it people don't want to install it). So the users copy it on a personal external hard drive or usb stick which is usually lost and since it wasn't officially purchased and formatted by your IT department they don't know, they don't have to disclose and if it ever gets high enough up the chain to cause commotion all the end user gets is at most a stern lecture about not doing that again.
If the value of the secret is large and the attackers have physical access, then encryption is the strongest link in a very weak chain.
Not only that, the passwords for the users that actually need encryption (enrollment, HR, doctor offices) are generally very weak, shared or have a post-it to the device so if the attacker really wanted, they could use a day of dictionary-based brute forcing and usually you'll have a result.
If many people have access to the secret, then social engineering will weasel it out no matter what your encryption.
Of course, but that doesn't matter. You have it encrypted so as long as nobody tells or goes public that they have the freaking thing decrypted (which attacker would acknowledge that anyway - PATRIOT act?) no disclosure is necessary.
If the attackers are evil and powerful, then encryption is a red flag to very Bad Bulls. You better off with more primitive methods that require real humans to eye ball it.
I don't know what you mean exactly.
Custom electronics and digital signage for your business: www.evcircuits.com
Are there any theories as to why this is?
I don't understand what the 'Foundation' would stand to gain from this sort of behavior. It is an open source / free app., and they aren't selling anything. Not that that is an excuse.
I knew something was up when the Truecrypt forums were down for weeks, prior to the 6.0 release. No real reason given, but screw anyone who needed info in the mean time.
No, I'm complaining that TrueCrypt doesn't include a scalable mechanism for escrowing private keys in an organization.
I can deploy a FIPS-compliant, secure encryption solution from McAfee, Pointsec, PGP, WinMagic, and others, and still meet my legal and fiduciary responsibilities.
Conformity is the jailer of freedom and enemy of growth. -JFK
Read the source and compile it for yourself if you don't trust it. Asshole.
.sig: No such file or directory