Your laptop encryption of choice?

T

TechieSooner

Supreme [H]ardness
Joined
Nov 7, 2007
Messages
7,601
Just curious what you all use for your laptop encryptions.

If it's stolen, I don't want company data in the hands of someone else.

Can care less about the data itself (It's all backed up).

I'm looking for something that's the entire disk and transparent to the user (The most it should do is ask for the encryption password before booting).

Don't want it to integrate into the Windows SAM because that can be cracked so easily...
 
I encrypted my old laptop with truecrypt it was pretty sick for a little while until i got tired of entering the password just to boot it up.
 
http://www.credant.com/

I'm currently deploying this at work for our ~850 laptop users. We're using the CMG Enterprise Edition. Centrally managed and integrated with our AD, small SQL server database, file-based not full disk (although it can do full disk but file-based makes it more customizable to your environment), can do USB devices and even smart phones (YMMV on the type of device). I integrated it with our Altiris environment for the deployment of the agent. Works nicely.

So far it's working really well for us instead of a full disk solution.
 
robertp221 said:
I encrypted my old laptop with truecrypt it was pretty sick for a little while until i got tired of entering the password just to boot it up.
Click to expand...
I had thought about that, but two things...
1) Won't encrypt RAM that's in-use
2) Being OpenSource/Free/Community driven, if interest dies off, so does the product...

QHalo said:
http://www.credant.com/

I'm currently deploying this at work for our ~850 laptop users. We're using the CMG Enterprise Edition. Centrally managed and integrated with our AD, small SQL server database, file-based not full disk (although it can do full disk but file-based makes it more customizable to your environment), can do USB devices and even smart phones (YMMV on the type of device). I integrated it with our Altiris environment for the deployment of the agent. Works nicely.

So far it's working really well for us instead of a full disk solution.
Click to expand...

My issue with that is my users save files EVERYWHERE. From a backup perspective, I don't care (If they don't save it where I say to, they're SOL) but from a data perspective, I don't want someone else finding the files.

I'd probably just be looking at the stand-alone editions. Set up an Admin password for myself (in case they forget theirs) and then have the user setup their own...

I'll give these folks a call!
 
TechieSooner said:
My issue with that is my users save files EVERYWHERE. From a backup perspective, I don't care (If they don't save it where I say to, they're SOL) but from a data perspective, I don't want someone else finding the files.
Click to expand...

Technie, this product encrypts based upon file extension it's that granular. So it does not matter if they put .doc files in the Windows\system32 directory, they will be encrypted. There's even a utility to run on the machine that shows you all the files that are encrypted and where they are on the machine.

Our policy covers as many file extensions that we can think of. Obviously there's a flaw with that as you can't possibly cover all the extensions and you'll eventually find one you don't. Find a new one that's not done? No problem, update the policy on the central server, and all the clients are updated. We even have a policy proxy in our DMZ that talks to our agents over the Internet. So if you have someone out of town, they only need to connect to the Internet to get the new policy. Take it for a spin, I think you'll find it rather nice. If you have questions I can help as needed. :)
 
I can't just say everything below C:\ ??

My question is, being I'm looking at the Standalone, I won't have a central server. So if I've got to do it on file extensions, I'd have to touch each client?
 
TechieSooner said:
I can't just say everything below C:\ ??

My question is, being I'm looking at the Standalone, I won't have a central server. So if I've got to do it on file extensions, I'd have to touch each client?
Click to expand...

In the Enterprise version yes, I can specify a folder/drive and say anything in here encrypt.

Edit: looking at the site it looks like the policy is pre-configured for the package, however what the policy is I'm not aware of.

http://www.credant.com/products/cmg-standalone-edition.html
 
TechieSooner said:
I had thought about that, but two things...
1) Won't encrypt RAM that's in-use
2) Being OpenSource/Free/Community driven, if interest dies off, so does the product...
Click to expand...

1) I don't know of any disk encryption product that can encrypt RAM. Correct me if I'm wrong, but I always figured that RAM encryption would have to happen at the hardware or OS level.

2) TrueCrypt is massively popular, so it's not going to die anytime soon.
 
One thing I have liked about TrueCrypt... Looks like I can create a rescue disk for each laptop and store them in a safe or something. Not sure if these other packages have that or not.

Also my second question on TrueCrypt would be... any hit in performance?
 
I've never encrypted the boot drive (TrueCrypt can do that) however I have been using TrueCrypt for several years w/ great success and no issues. I basically create an encrypted volume on every removable device I have as well as my personal documents folder on my laptop. I dont notice a performance hit when reading/writting encrypted data to the volume.
 
My company uses Safeboot, or Mcafee Enpoint Encryption now. While the Device Encryption works well, I would not recommend the Content Encryption, or what they're now calling File and Folder Encryption. FFE basically encrypts any data that you copy to CD, USB, or over network and makes it unusable on any computer that doesn't have Safeboot - while it sounds good in concept, they just can't seem to get it right yet.
 
I went to Credent's website to do the Live Chat, and the first thing they said was "Do you have a phone # I can call you at?" :rolleyes: .... Why the hell do you offer Live Chat then?

That and I guess their Level 1 sales guys don't have pricing so I'm waiting a callback from an account manager or something... I dunno... Too much runaround for me, I've already written them off.


I guess I could get TrueCrypt and give it a shot on a test laptop first.
Biggie for me is how well the rescue disk works, so I'll see about that.
Anyway to assign to pass phrases to one TrueCrypt volume? One admin and one for the user?

AaronEarles,
Yea, that Safebook doesn't sound like it's for me.
 
TechieSooner said:
I went to Credent's website to do the Live Chat, and the first thing they said was "Do you have a phone # I can call you at?" :rolleyes: .... Why the hell do you offer Live Chat then?

That and I guess their Level 1 sales guys don't have pricing so I'm waiting a callback from an account manager or something... I dunno... Too much runaround for me, I've already written them off.


I guess I could get TrueCrypt and give it a shot on a test laptop first.
Biggie for me is how well the rescue disk works, so I'll see about that.
Anyway to assign to pass phrases to one TrueCrypt volume? One admin and one for the user?

AaronEarles,
Yea, that Safebook doesn't sound like it's for me.
Click to expand...

lol Techie, sorry.
 
It's not your fault, lol... When I'm ready to get something implemented NOW and willing to spend money, I sure as hell don't want to be given the run around. But I'm not a fan of sales people anyway, so I'm biased I guess.

Only question with TrueCrypt is it possible to use two passwords?
 
I did not notice a difference in performance while my laptop was encrypted, and I do not believe you can have multiple passwords but it has been a while so I may be wrong.
 
robertp221 said:
I did not notice a difference in performance while my laptop was encrypted, and I do not believe you can have multiple passwords but it has been a while so I may be wrong.
Click to expand...

I doubt you can, was just wondering if they had a way (two passphrases would require two different encryption sets I'd think)
 
I applaud you finding a solution for your laptops. Too many times I've read about company laptops with customer information being lost and stolen and exposing hundreds and thousands of people's info.

I use Truecrypt with full disk encryption. I have not noticed a significant performance decrease. It's a little tedious entering in a password on every boot, but there is always been a balance between convenience and security.
 
TechieSooner said:
I doubt you can, was just wondering if they had a way (two passphrases would require two different encryption sets I'd think)
Click to expand...

Not sure what you're trying to do, but I think you can set it up to use a password and require a key from a flash drive, if you are trying to increase security. If you are trying to have multiple users, I have doubts about that. You could also go directly to the TrueCrypt forums for more info.

As for performance it most cases a modern processor should be able to encrypt and decrypt faster than the hard drive can transfer data, so it shouldn't cause any slow down. I have been using it for well over a year and have no complaints.
 
Vague said:
I applaud you finding a solution for your laptops. Too many times I've read about company laptops with customer information being lost and stolen and exposing hundreds and thousands of people's info.

I use Truecrypt with full disk encryption. I have not noticed a significant performance decrease. It's a little tedious entering in a password on every boot, but there is always been a balance between convenience and security.
Click to expand...
Yea, I just heard about a hard drive being lost from the National Archives too :eek:

Luckily this is the first laptop lost since I've been overseeing IT, so it's not a huge deal... And thankfully we don't store individual's info on anything but our servers, so worst-case was just customer information/prices/etc.

I'm definately going to do this 100% from a laptop standpoint. Haven't decided on the desktops yet, or maybe just do desktops at remote locations. Not entirely sure yet.

Part of my issue with doing desktops too is since it encrypts Windows itself, I can't use rescue tools so easily. I think instead of repairing Windows I'll be doing more re-installs, due to the fact I cannot boot from a CD to repair Windows anymore.

xxEIEIOxx said:
Not sure what you're trying to do, but I think you can set it up to use a password and require a key from a flash drive, if you are trying to increase security. If you are trying to have multiple users, I have doubts about that. You could also go directly to the TrueCrypt forums for more info.

As for performance it most cases a modern processor should be able to encrypt and decrypt faster than the hard drive can transfer data, so it shouldn't cause any slow down. I have been using it for well over a year and have no complaints.
Click to expand...
Well, I was kindof wanting to have 1 administrative password for if they forgot, and then 1 password that the user knows. But alas, I think my way around this is using the rescue disk, plus having them disclose the original password to me. That way worst-case, I can hopefully restore the original password and then lookup what they gave me to restore it.


I forgot that it works inside of RAM using the processor, didn't think of that, so yea I'd imagine it's pretty fast. Still have yet to try the "secure wipe + encryption" initially, I'd imagine that might take about 8 hours on a pre-established notebook.
 
And remote reboots kinda suck too... Meaning I've got to have the user there to log it back on.
 
whats the setup like for Truecrypt full disk? I only messed with folder encryption for a flash drive.

does it require boot up password?

sucks for doing things like LMI Rescue, end user has to always be around =(

I guess another way would be Terminal Services for the laptops, make em connect on laptop and then VPN and TS to server for work.
 
marley1 said:
whats the setup like for Truecrypt full disk? I only messed with folder encryption for a flash drive.

does it require boot up password?
Click to expand...
Yea. Other than that, the end-user won't notice it. I even did some research in their forums, and apparently once that full-disk is setup, you can actually delete the TrueCrypt.exe file, so there's not even a tray icon running.

From an administrative point, took about 5 minutes. Just tell it to encrypt the whole disk, generate your password, etc. Create rescue disk, reboot, and then it starts encrypting.

marley1 said:
sucks for doing things like LMI Rescue, end user has to always be around =(
Click to expand...
Yup. Used to be that if a client had an update that wouldn't auto-apply (like a SP), I'd RDP in some evening and do it manually.

However after constantly saying to "install all updates that come across the little Windows Shield", if they fail to do that on their time, I guess that's their issue, not mine. They can do it themselves or if they fail to do so, I get to disrupt their work during the day.

marley1 said:
I guess another way would be Terminal Services for the laptops, make em connect on laptop and then VPN and TS to server for work.
Click to expand...
On paper, that's fine.
But what are your chances they'd actually keep stuff stored on the server like they should? Slim to none.
And what if they need access to something while being disconnected (like an Excel sheet)??? Offline files is handy feature then...
 
Theoretically you can have two passwords with TrueCrypt; though it's kinda a hack. Basically, you set up full-disk encryption and you set the boot password to what you want your "admin" password to be (or whatever password you won't normally use). Burn a rescue disk. Then change the boot password to the 'normal' password.

When you want to boot using the 'admin' password you'll boot using the rescue disk.

I haven't tried this this out but it theoretically should work. I don't know if the rescue disk automatically fixes the hard drive's boot sector or if it gives you an option. Doing so will replace the hard drive's boot loader with the one on CD - so you're essentially resetting the password.

The only other way to have two passwords would be to have seperate OSes - either a decoy/hidden OS setup or dual/multi boot.
 
^^^ Yea, I'd imagine that could work too. My only downside on that would be documentation purposes, makes things a bit more confusing.
 
All this talk about TrueCrypt really makes Safeboot look good, at least from a management standpoint. We encrypt all desktops and laptops, you assign users from the management console so our Internal Network Service group has access to every pc, then the end user, it pulls it's user database from active directory, but other than importing usernames, they are completely separated.
 
aaronearles said:
All this talk about TrueCrypt really makes Safeboot look good, at least from a management standpoint. We encrypt all desktops and laptops, you assign users from the management console so our Internal Network Service group has access to every pc, then the end user, it pulls it's user database from active directory, but other than importing usernames, they are completely separated.
Click to expand...

Does it pull their passwords too? The problem with that is Windows is so easily hacked that any cached usernames/passwords used on Windows can be discovered.

Also, appears Credent pride's itself in not encrypting the OS (IE, you can boot from LiveCD to fix it). It's actually turning out to be a bad thing. Anyone here of KonBoot??? It replaces some of Windows' kernel files at bootup (just in RAM), transparent to the OS. You can then log in as any user you freakin' want with any password you want. An encrypted OS would prevent that from happening.
 
No, it only imports usernames, and you set their default password, which of course they are required to change. Safeboot encrypts everything, but has live cds for repair/recovery, there is a bart pe plugin so you can customize your live cd, open "wintech" (the pe plugin app) and unlock the disk for access.
 
aaronearles said:
No, it only imports usernames, and you set their default password, which of course they are required to change. Safeboot encrypts everything, but has live cds for repair/recovery, there is a bart pe plugin so you can customize your live cd, open "wintech" (the pe plugin app) and unlock the disk for access.
Click to expand...
Other than the AD integration: That's the same way TrueCrypt works :) But free :)
 
TrueCrypt has a management console where you can assign a single user, or a group of users to have access to a computer?
 
I said other than that ActiveDirectory stuff, including the management console, obviously it doesn't have that.

As for everything else, TrueCrypt works too.

My thing with management consoles, is I don't want to touch the client if I'm using a console. I'd still have to do that with something like Credent or Safeboot, at least for current users. On new machines there wouldn't be a problem, for current users they'd still need to be hand-held to create a new password, make sure the initial encryption is going, etc.
 
I don't ever touch the end users computer after I deploy it, (unless of course it's just easier to do so). I login to the console and can make changes to their configuration, then right click and sync. they sync every 30 mins anyway when they are connected locally or over vpn. if the user forgets their password while the pc is at the pre-boot screen (no network access) I open the console and have them read me a recovery code, I then read back two response codes and they are in, and able to reset password.

I perform the initial encryption during the staging process, before deployment. Once it's fully encrypted (2 hours or so) and synchronizing happily, I can kick it out to the user.
 
aaronearles said:
I don't ever touch the end users computer after I deploy it, (unless of course it's just easier to do so). I login to the console and can make changes to their configuration, then right click and sync. they sync every 30 mins anyway when they are connected locally or over vpn. if the user forgets their password while the pc is at the pre-boot screen (no network access) I open the console and have them read me a recovery code, I then read back two response codes and they are in, and able to reset password.

I perform the initial encryption during the staging process, before deployment. Once it's fully encrypted (2 hours or so) and synchronizing happily, I can kick it out to the user.
Click to expand...

What's it syncing?

Also, sounds like it just builds in multiple passcodes at the initial? Not sure how else you'd decrypt it without network access, but sounds like a potential area you could crack.
 
st4rk said:
If you're on Vista just use Bitlocker.
Click to expand...

Nope... Just XP.

Plus I really haven't researched it that much. Does that do the Whole Disk Encryption?

Usually, unless it's very tightly integrated (like a Blackberry handheld), same-company encryption usually doesn't beat third-party.

Like I said, Windows is so easily hacked... That's what concerns me about BitLocker!
 
I don't encrypt my laptop. Anything worth keeping prying eyes off of goes onto a thumb drive attached to my keychain that also has my house and car keys. I don't encrypt that either but then again I'm not a secret agent and if my keychain comes up missing I'd be more worried about having to get the locks on my house changed and trying to come up with whatever the BMW stealership will end up demanding in tribute for a new key.

On the off chance I would need to send sensitive information I would probably use PGP and more than likely I would send it through email rather than put it on some sort of portable storage.
 
You must log in or register to reply here.
Back
Top