Drive encryption

sphinx99

Gawd
Joined
Dec 23, 2006
Messages
955
I was not sure where to put this. I have a bunch of laptops at work (~ 200) which ought to have some sort of encryption mechanism for the local storage in case the laptop is lost/left somewhere. Most of the laptops are new but some are older models. Unfortunately for a number of reasons I cannot prevent users from keeping potentially sensitive data on these laptops so I would like to err on the side of caution and encrypt.

Experience doing anything like this?

I'm leaning toward TrueCrypt, assigning each user a relatively complex password, doing whole drive encryption, and simply stating that this is one of the headaches that comes with having a laptop. They boot, enter a PW, then the OS boots. No central management per-say. TrueCrypt has some sort of master PW that IT can keep to unlock the laptop if the user PW is lost.

Any reason not to proceed down this road? Is performance impact limited for modern multicore laptops?
 

ghost6303

2[H]4U
Joined
Jul 24, 2004
Messages
2,291
i use whole drive encryption with truecrypt on my personal laptops. its fairly easy to do. one thing you need to reallize though, is truecrypt is meant to be secure. there is no backdoor for IT to use if the user looses their PW. i havnt used the rescue disk that truecrypt creates very much, there might be an option to make a flash drive into an unlock key or something, but you need to look into that before implementing such a system. there is no master password, there is only one. if its gone, so is all the data.

if you are using AES encryption, a good number of new processors have hardware AES processors in them, so performance impact is almost zero. there is noticeably slower hard drive read/write speeds on older machines, especially low powered laptops, as it takes a lot of power to process everything. no harm in doing some benchmarks on one or two machines before doing all 200.

the password you make for them doesnt have to be extraordinarily long, though they suggest more then 20 characters, just having a regular 8 or 10+ character PW would be sufficient to deter 99.8% of the regular people that would find/steal a laptop. you need to be extremely good with computers to even know how to go about breaking into an encrypted system drive.
 

drescherjm

[H]F Junkie
Joined
Nov 19, 2008
Messages
14,936
though they suggest more then 20 characters,

That would seriously annoy your users. I would shoot anyone that forces me to use a password of more than 10 characters. Well either that or I would put a sticker on the laptop with the password.

Just kidding about the shoot part.
 

haileris

Limp Gawd
Joined
Jun 6, 2010
Messages
458
First, you have to consider what you are trying to protect. Read up on the types below (I am no expert!)

Full Disk Encryption - cool for theft etc but no protection when the drive is unlocked and one of your users surfs the internet with their firewall down

File level protection - something like EFS protects at certain file levels but doesn't prevent all sensitive data being compromised in the case of a loss situation

If you're going for FDE, then you have already mentioned the single big factor in my book - manageability. If you have to manage 200 of the things, then I'd be seriously looking at what all the products on the marketplace can do in the event of a lost password. How easily can one invoke a recovery. If these laptops go around the globe can one recover it remotely? Not sure of all the answers myself :)

Another thing to consider is things like backup. No good having a locked down laptop if the user simply copies his / her files to another unencrypted USB drive. So either provide them a suitably secured drive or implement some remote backup process such that when they connect, the backup process kicks in. Plenty of products in the marketplace on that.

P.S. My work FDE laptop password is 26 characters... I guess I should shoot myself twice :)

But its actually not that bad if you say for instance treat it like a story - like for example this phrase will be remembered reasonably easily yet its pretty long and pretty secure.

Mary went to picnic for a combine teapot

Hope this helps
D
 

ghost6303

2[H]4U
Joined
Jul 24, 2004
Messages
2,291
phrases are excellent ways of remembering long secure passwords.

if you are simply trying to prevent someone from finding a laptop that one of your users might leave somewhere and pressing the on button and reading all the sensitive info on the laptop; you can use whole disk encryption with just a 8 word PW, even the same password for all 200 PCs, and just have the users create their own strong windows login password. just by virtue of the data being encrypted and having some password right after BIOS is enough to deter any normal person that would pickup a lost laptop.

in truecrypt you can even set the message that people see at the enter password screen before windows, so you can put in instructions or a EULA or instructions to the person who might find the laptop, etc.

an alternative would be to use bitlocker if you are using windows 7 on all of these. that would prevent someone from pulling the hard drive or booting to a linux live CD and reading the data.

all of this is for nothing, though, if your users store the data on thumb drives or similar like haileris mentioned..
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,226
We are going through an encryption project right now, to simply put it, its a pain in the ass lol

We are using Sophos, main reason is central managment. I eliminated Tru-Crypt as a solution due to a few reason's

1) Tru-crypt has no support except the community.
2) Tru-Crypt is not centrally managed for user access and key recovery/policy changes

I fully support using tru-crypt, just not in a business environment of more than a couple users.

Things to note when encrypting drives

1) BACKUP YOUR FREAKIN DATA - you may only have 1% of computers not like the encryption, but thats still data you can use, I suggest using Acronis or Ghost to backup.
2) Run a checkdisk in repair mode to make sure the drive has no issues
3) Pray to the lord it works lol
 

Neme

n00b
Joined
Jan 19, 2010
Messages
30
We use Checkpoint FDE on our work laptops, good central management, supports single signon and also remote challenge/response style password resets, which comes in handy for those users that forget passwords every 5 mins (especially as these also tend to be the execs that fly all over the world).

Not sure how it works out on the cost side (I don't balance the books or pay the bills), but worth looking at.
 

sphinx99

Gawd
Joined
Dec 23, 2006
Messages
955
Wow, thank you for the advice, that is exactly what I was looking for.

Cost is not a major issue.... I wouldn't want to be paying $150/client, but I would spend a bit for a more robust solution. Since I'm looking at at least a couple hundred units here, and since a number of them will indeed be the "traveling executive" types, myself being among them, it is heartening to see that others feel heartburn going through this.
 

rive22

Supreme [H]ardness
Joined
Mar 10, 2004
Messages
4,646
Truecrypt is the way to go. I cannot speak enough good words about the software and it's abilities. It simply is just amazing.
 

k1pp3r

[H]F Junkie
Joined
Jun 16, 2004
Messages
8,226
Truecrypt is the way to go. I cannot speak enough good words about the software and it's abilities. It simply is just amazing.

If truecrypt had central management and key recovery i would be all for it in business use, I would only use it in small deployments due to this lacking of central management and key recovery.

Sad, cause i think truecrypt is a great product
 

w00dix

n00b
Joined
Feb 20, 2010
Messages
8
Gartner and Forrester are amongst the many research companies that publish data on this sort of thing. While you typically have to pay for it, there are plenty of google links out there that'll give you the data you need. Off the top of my head:

McAfee, CheckPoint, and PGP all make pretty decent products. As others have stated, key management and recovery are critical. I'd also make sure you pay close attention to deployment as well as reporting.

Make sure you're requirements are tight before you start talking to vendors. Leverage channel partners in your area so that you can get decent discounts on purchase, maintenance and professional services. Dealing direct with vendors is a sure way to pay MSRP.

Good luck!
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
15,190
I like dm_crypt myself, but I think that is linux only.

If your laptops are lenovos, they have a bios option for this. Even if you remove the drive & stick it in another PC it is unreadable. I think the password is limited to 8 characters however.

I use dm_crypt + bios password on my lenovo & it gets the job done.
 

ghost6303

2[H]4U
Joined
Jul 24, 2004
Messages
2,291
fairly easy- IF certain criteria are met. like the computer being on, and logged in, and the encrypted drive mounted, and having a second computer available to run this on, and (atleast for the first link you posted) an enabled firewire port on the computer to be hacked. and $750 for that software (or find an illegal torrent for it).

brute forceing a 15+ character password is a legnthy process. 20+ characters without a distributed crunching farm, or without getting extremely lucky, is practically impossible. there are always ways around everything, but whole disk encryption serves as a good deterrent for someone who would normally find a lost laptop and push the power button and go rifling thru your files. if you have secret KGB documents on your laptop, you should already know you need more protection then this.
 

Wompa164

Limp Gawd
Joined
Jul 9, 2006
Messages
297
Whole disk enryption systems are a joke, and really just encrypting your data does not solve security problems. If someone wants to get around it, its fairly easy.

TrueCrypt and Bitlocker are the easy. http://www.lostpassword.com/hdd-decryption.htm
SafeBoot - http://simonhunt.wordpress.com/2009/08/25/disaster-recovery-wintech-and-pe3/

It's possible to recover the encryption keys from physical memory but it's hardly a trivial matter. The only hope you have of recovering the keys from a Bitlocker system (I can't speak on behalf of TrueCrypt) is if you get to the system while it's turned on, logged in and unlocked. If the system has locked, the only hope you have of pulling the keys is by using a specialized Firewire-based memory aquisition device. If the target computer doesn't support Firewire then that's pretty much the end of the road as far as I'm currently aware unless you go the route of supercooling the memory chips and pulling them out of the system. If the system isn't already powered on and logged in then you really have no chance.
 

HammerSandwich

[H]ard|Gawd
Joined
Nov 18, 2004
Messages
1,126
I've been impressed with Truecrypt, but I have no experience with the managed solutions. Seems to me that TC will be fine if you can deploy the same admin password on all PCs. But keep THAT one tight.

However... TC had major problems with a pair of Vostro 1520s running Vista x64, requiring me to use the recovery disk every few days until we gave up on FDE. I did not do fresh installs on these laptops, so they had the Dell recovery partition crap in place. I'm not sure that was the problem, but it seemed the likeliest cause.
 

dr_latino999

Limp Gawd
Joined
Jul 15, 2008
Messages
130
Whole disk enryption systems are a joke, and really just encrypting your data does not solve security problems. If someone wants to get around it, its fairly easy.

TrueCrypt and Bitlocker are the easy. http://www.lostpassword.com/hdd-decryption.htm
SafeBoot - http://simonhunt.wordpress.com/2009/08/25/disaster-recovery-wintech-and-pe3/

Maybe, but as others have said, it's a time consuming process. I have my encrypted systems requiring one password, and one key files. My TrueCrypt creations have a 20 digit password and three key files, which only unlocks access to a VM which is....drumroll...encrypted as well. If someone ever gets the data off of that VM, good for them. I figure the extra 90 seconds it takes me to get up and running through the security measures on my laptop is worth it to me.
 

sharp

[H]ard|Gawd
Joined
Feb 9, 2003
Messages
1,267
Maybe, but as others have said, it's a time consuming process. I have my encrypted systems requiring one password, and one key files. My TrueCrypt creations have a 20 digit password and three key files, which only unlocks access to a VM which is....drumroll...encrypted as well. If someone ever gets the data off of that VM, good for them. I figure the extra 90 seconds it takes me to get up and running through the security measures on my laptop is worth it to me.

Hah. That is a win.
 
Top