Slashdot Mirror

← Back to Stories (view on slashdot.org)

How To, When You Have To Encrypt Absolutely Everything?

Posted by ScuttleMonkey on from the first-step-is-teaching-people-how-not-to-be-stupid dept.

Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"

17 of 468 comments (clear)

  1. TrueCrypt or Wait for On Drive Upgrades by eldavojohn · · Score: 5, Informative

    I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives ...

    I think you're going to find most people advising you to choose TrueCrypt which boasts:

    I think they're on version 6.1a and I have been impressed with them. You may want to try benchmarking the various encryption algorithms it offers.

    ... but i am concerned about overhead and speed penalties.

    Aren't we all. I mean, no one wants an Office Space like scenario where every day before you leave you have to wait for the damn little bar to cross the screen to save your progress for the day. You have another option which is to wait until the drive manufacturers build all that into the hardware's firmware so that it is as fast as they can make it.

    I wouldn't recommend waiting that long, however.

    Here's my formal suggestion: do a small test on a few users or even a few devices no one depends on, some USB drives, etc. Use them yourself and see what kind of overhead (for both user and device) we're talking about here. Then weigh that with how much comfort you get with universally encrypting everything. If A is greater than B (with a sinister sounding name like 'Dark Neuron' who knows?), draft up a plan. Otherwise, just wait until you have the funds to upgrade the hard drives to those with the built in encryption.

    I do not know for certain but I do not believe there is a painless push-across-the-network way to do this ... I also would feel very uneasy if someone assured me they had a method to do that. Drive encryption is one of those seemingly trivial but necessary reasons why companies have many system administrators and not some automagical solution.

    --
    My work here is dung.
    1. Re:TrueCrypt or Wait for On Drive Upgrades by Hal_Porter · · Score: 5, Funny

      Coming from an Org that encrypts everything

      Tom Cruise? Is that you?

      --
      echo -e 'global _start\n _start:\n mov eax, 2\n int 80h\n jmp _start' > a.asm; nasm a.asm -f elf; ld a.o -o a;
    2. Re:TrueCrypt or Wait for On Drive Upgrades by KookyMan · · Score: 5, Interesting

      In addition, the TrueCrypt user community lately is getting the shaft from the "TrueCrypt Foundation".

      Case in point, if you visit their forums, starting about 6 months ago, around the time of release of v6, the forum administrators now delete anything "critical" of TrueCrypt. Basically, your only allowed to discuss the positives of the software, or problems with the intended operation of it. Any "bugs" or "weaknesses" mentioned result in having the thread either locked, more than likely deleted, and if you push an issue, open a second thread on a 'deleted thread' your likely to have your account locked.

      5.1a was the last version released before this new policy of "only positives". Not to mention that the forums are already so heavily locked down (No public email addresses to register accounts, no private messages on the board, no threads that are not 'on topic'). Some of us tried (semi-successfully) to have frequent contributors meet over on Wilder's Security forums. (http://www.wilderssecurity.com/) Difficult though since they started deleting our postings since they weren't on topic, and private messages are impossible.

      Sadly, as a result of this, I used to heavily endorse TrueCrypt, but I can no longer stand behind them until they let the community get re-involved, for the good and the bad.

    3. Re:TrueCrypt or Wait for On Drive Upgrades by TheCabal · · Score: 5, Informative

      A simple perusal of their website reveals:

      Q: We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?

      A: Yes. Note that there is no "back door" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header).

      Similarly, you can reset a pre-boot authentication password. To create a backup of the master key data (that will be stored on a TrueCrypt Rescue Disk and encrypted with your administrator password), select 'System' > 'Create Rescue Disk'. To set a user pre-boot authentication password, select 'System' > 'Change Password'. To restore your administrator password, boot the TrueCrypt Rescue Disk, select 'Repair Options' > 'Restore key data' and enter your administrator password.
      Note: It is not required to burn each TrueCrypt Rescue Disk ISO image to a CD/DVD. You can maintain a central repository of ISO images for all workstations (rather than a repository of CDs/DVDs). For more information see the section Command Line Usage (option /noisocheck).

      Seriously, a little research isn't hard.

  2. Dont. by spikenerd · · Score: 5, Insightful

    "Security" that gets in people's way is a security threat, because people will find a way to work around it, and be worse off because of it. Never try to lock down everything, or you'll have no control over what is compromised. Figure out what you really need to secure, and lock that down. Really. Trying to secure everything is a sure sign that someone lacks the knowledge to make security decisions.

  3. TrueCrypt by Anonymous Coward · · Score: 5, Insightful

    You want TrueCrypt.

    It's probably better than a hardware solution. They keep screwing up and snake-oiling the hardware ones, but you can audit TrueCrypt (and people have), and pre-boot authenticated system drive encryption is pretty much what you want.

    As for speed... I don't know what you're worried about. AES-256-XTS (best-in-breed, the new standard, which TrueCrypt pioneered and uses) runs at over 150MB/sec in benchmark, and that's on one core. Your hard disk very probably doesn't run that fast.

    All our machines are encrypted using similar means, and we've never experienced any problems with performance.

    PGP's Whole Disk Encryption isn't as good - that kept stalling in kernel mode under XP, causing hiccups on lots of disk accesses; and eventually the driver bluescreened on every boot and there was absolutely no way we could get it back, which lost us terabytes of data... but TrueCrypt has caused us no such problems, and costs nothing. (If it worked with the leftover eTokens from our earlier PGP deployment, it'd be perfect.)

    1. Re:TrueCrypt by timeOday · · Score: 5, Interesting

      My problem with TrueCrypt - and all software solutions - is how do they handle suspending a laptop to RAM? Apparently the keys are not overwritten in RAM until you unmount the partition, which means closing down all applications that access the sensitive data. I couldn't live with that. Instead the apps should be suspended, the encryption keys overwritten, and the apps not resumed until after the user inputs the password upon resume.

  4. Re:Hard Drive Encryption - Theory vs. Reality by Sancho · · Score: 5, Funny

    Of course, if you're using Truecrypt, they won't know when to stop hitting you.

  5. Re:Yeah... by quickOnTheUptake · · Score: 5, Informative

    I've heard that full fs encryption on higher end computers has a negligible performance impact (cpu can generally keep up with the hdd) but on lower end machines esp. netbooks, the performance impact can be appreciable. Here is an article with benchmarks

    --
    Mod points: Guaranteed to remove your sense of humor.
    Side effects may include gullibility and temporary retardation
  6. Re:Yeah... by Lumpy · · Score: 5, Interesting

    How about the following...

    "My presentation is on this drive and I forgot the password, get my files for me!"

    users dont like it when you say, " sorry, but unless you remember your password all your files on that drive are gone forever."

    That stopped it at my last IT gig, I mentioned that response to the CTO and he said...

    "oooh, Did not think of that. let's skip encryption."

    --
    Do not look at laser with remaining good eye.
  7. Theory vs. Reality - Seriously by BenEnglishAtHome · · Score: 5, Insightful

    That comic has been making the rounds. It's cute, but not applicable.

    If the submitter is in an organization with thousands of machines, the notion that any user will be required to keep their password confidential in the face of torture is laughable. That's for specially trained operatives, soldiers, and other assorted heroes. Those of us in the normal world will probably adopt a more rationale perspective. If someone were crazy enough to steal one of our laptops, simultaneously snatch the user, and threaten them with torture, our folks know to give up all passwords, immediately. We're only required to keep data confidential where it is reasonable to do so. When floods sweep away your car, wave goodbye to your laptop in the trunk. When someone threatens you physically, tell 'em what they want to hear.

    Our people are more important than our data. Our people are more important than the publics data. If we lose a chunk of data, we have ways to reconstruct what was lost and mitigate damage. If we lose an employee, there is no way to achieve a good outcome.

    Reasonable?

    1. Re:Theory vs. Reality - Seriously by SpottedKuh · · Score: 5, Informative

      The point of the comic is that there's no *practical* difference between, say, 128-bit encryption and 4096-bit encryption [...]

      There's a huge difference. When you see numbers like "128-bit," you're dealing with a symmetric encryption algorithm (e.g., AES). When you see numbers like "4096-bit," you're dealing with an asymmetric algorithm (e.g., RSA).

      See the NIST Recommendation for Key Management (PDF), page 63. For example, to get RSA that is "equivalently" secure (for some predicted meaning of equivalent) to AES-128, you need a 3072-bit key. The table is explained on page 62.

      As an aside, the comparably small key sizes that asymmetric elliptic curve cryptograph (ECC) can use, illustrated on page 63, are one of the reasons that ECC is so valuable.

  8. ROT 26 by spike2131 · · Score: 5, Funny

    Tell the suits you are implementing state-of-the art ROT-26 encryption on everything. Take a month off. Come back, pronounce it complete, and ask for a raise.

    --
    SpyDock: Scientific Python in a Docker container
  9. Re:Have fun with management by cs02rm0 · · Score: 5, Funny

    Maybe its just the corporate environment that I'm in and please I would love to be wrong. But from what I can tell a good number of open sourced products just don't scale up to the enterprise level.

    There aren't any tools that manage them centrally and allow for compliance and auditing.

    Crap. Has anyone told Google yet? Best get them to switch to Windows quickly!

  10. Re:Key Management? by MobyDisk · · Score: 5, Funny

    To empower individuals to utilize synergistic approaches to achieve goals and exceed expectations. :)

  11. PLAESE BACK UP FRIST!!! by linhares · · Score: 5, Funny

    Plase back everything up frist! Send it to us at editor@wikileaks.org and we'll store that data for you for free. We have mirror sites to protect the data; just send it before encrypting it.

  12. You're still missing the point. by Estanislao+Mart�nez · · Score: 5, Informative

    Hard drive encryption isn't meant to protect against social engineering attacks. It's meant to protect against attacks that don't require social engineering, like stealing or cloning a database server's drives for the information. More than anything, it's meant to provide reasonable assurance that if one of your employees' computers gets stolen by a common thief who just wants to sell it for the cash value, somebody else down the line won't be able to read the data in the drive and take advantage of it.

    --

    Are you adequate?