Slashdot Mirror
How To, When You Have To Encrypt Absolutely Everything?
Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"
you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.
Yeah, but if you're running Windows, be sure to get the swap file (depending on security concerns, maybe having Win zero the swap file at shutdown might be enough) and all that crap in Documents and Settings. If concerns run to file/folder names, don't forget the MRU lists. I do have a Truecrypt partition, but regularly find bits and pieces of stuff scattered here and there on C: unencrypted.
Win does not segregate data in a helpful fashion. If my security concerns were serious, I wouldn't dare anything less than whole disk encryption. Actually, I'd probably stop using Windows.
How about the following...
"My presentation is on this drive and I forgot the password, get my files for me!"
users dont like it when you say, " sorry, but unless you remember your password all your files on that drive are gone forever."
That stopped it at my last IT gig, I mentioned that response to the CTO and he said...
"oooh, Did not think of that. let's skip encryption."
Do not look at laser with remaining good eye.
In addition, the TrueCrypt user community lately is getting the shaft from the "TrueCrypt Foundation".
Case in point, if you visit their forums, starting about 6 months ago, around the time of release of v6, the forum administrators now delete anything "critical" of TrueCrypt. Basically, your only allowed to discuss the positives of the software, or problems with the intended operation of it. Any "bugs" or "weaknesses" mentioned result in having the thread either locked, more than likely deleted, and if you push an issue, open a second thread on a 'deleted thread' your likely to have your account locked.
5.1a was the last version released before this new policy of "only positives". Not to mention that the forums are already so heavily locked down (No public email addresses to register accounts, no private messages on the board, no threads that are not 'on topic'). Some of us tried (semi-successfully) to have frequent contributors meet over on Wilder's Security forums. (http://www.wilderssecurity.com/) Difficult though since they started deleting our postings since they weren't on topic, and private messages are impossible.
Sadly, as a result of this, I used to heavily endorse TrueCrypt, but I can no longer stand behind them until they let the community get re-involved, for the good and the bad.
My problem with TrueCrypt - and all software solutions - is how do they handle suspending a laptop to RAM? Apparently the keys are not overwritten in RAM until you unmount the partition, which means closing down all applications that access the sensitive data. I couldn't live with that. Instead the apps should be suspended, the encryption keys overwritten, and the apps not resumed until after the user inputs the password upon resume.