Home page logo
/

basics logo Security Basics mailing list archives

RE: List of Full Disc Encryption products
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 6 Jul 2006 19:34:50 -0400

I agree with your first sentences, but not your second paragraph.  Full
Drive Encryption (FDE) is and can be a solid encryption choice. But it
has its issues like any other encryption solution, not the least of
which is many of the algorithms are proprietary, many solutions are
untested, and key archival can be an issue.

And yes, many targeted encryption (i.e. file and folder encryption)
schemes do not encrypt all data reminants. But you can't say all
targeted encryption schemes are bad or that all programs leave plaintext
reminants. It depends on the the data being encrypted and the involved
applications, among many things. 

For every FDE benefit you can give me, I can give a negative. The same
for targeted encryption. And I can't say which is better for you without
knowing your particular environment, your risks, and the value of your
data. There is no one best single solution that is right-sized for all
environments.

-----Original Message-----
From: Robertson, Seth (JSC-IM) [mailto:Seth.Robertson-1 () nasa gov] 
Sent: Thursday, July 06, 2006 4:33 PM
To: security-basics () securityfocus com
Subject: RE: List of Full Disc Encryption products

The problem with technologies like EFS which encrypt files and folders
is that several unencrypted copies and fragments are scattered around
the file system to comport to the OS's peculiar implementation.  For
example, temporary recovery files aren't saved to the folders designated
for encryption (e.g., My Documents).  Sure, the intent of letter is to
encrypt data files rather than executables (because the information
which comprises an executable is *typically* not sensitive), and
targeted encryption is a good solution for certain problems (e.g., a
file server which is physically secure, saving files from the laptop to
removable storage or over the network),

but I don't think one could successfully argue that targeted encryption
would meet the requirements of protecting ALL the sensitive data in
every place it resides on the hard drive.  For that particular piece of
the puzzle, only full disk encryption guarantees the encryption of all
the data.


Seth Robertson

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com]
Sent: Thursday, July 06, 2006 1:13 PM
To: Saqib Ali
Cc: security-basics
Subject: RE: List of Full Disc Encryption products

I don't want to argue semantics, but you're wrong. Pure and simple.
Data's data. Program files and operating system files are not data.
Data is stored in files. You can encrypt individual files and folders
and still be in compliance with any federal mandate or guideline.  There
is NO mandate or guideline that says the entire drive must be encrypted.

Again, encrypting hard drives are a good thing, but don't spread FUD.
Let the facts speak for themselves. Encrypting the entire hard drive is
one solution for protecting confidential files, but it isn't the only
solution. And it certainly isn't the only one accepted by law or
mandate.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Thursday, July 06, 2006 12:28 PM
To: Roger A. Grimes
Cc: security-basics
Subject: Re: List of Full Disc Encryption products

On 7/5/06, Roger A. Grimes <roger () banneretcs com> wrote:
I don't believe your second sentence. Prove me wrong. What mandate 
says that full hard drive encryption is mandatory versus just 
encrypting the necessary files and folders?  Give me the law and
subsection.

OK. See:
1) http://digg.com/security/U.S._gov_t_mandates_laptop_security
2) http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Bullet #1 from the PDF reads:
1) Encrypt "all" data on mobile computers/devices which carry agency
data unless the data is determined to be non-sensitive, in writing, by
your Deputy Secretary or an individual he/she may designate in writing;

So encrypting certain files on the laptop will NOT suffice. You have to
encrypt "All Data".

If you are NOT encrypting partial data on the device, you have to get an
written exception from the Deputy Secretary.



--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]