Home page logo

basics logo Security Basics mailing list archives

Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
From: fac51 <fac51 () yahoo com>
Date: Sat, 27 Oct 2007 04:11:27 -0700 (PDT)

Hi Bill,

Thanks for your reply.
I'll take this stuff into account. Suprisingly all the FDE products I've reviewed do not mention in their blurb any 
performance issues/ vulnerabilities.

The group I'm trying to protect barely know how to login now so the solution has to take this into account from the 
start. Any data loss woud be a disaster.

Thanks again Bill,


----- Original Message ----
From: Bill Stout <billbrietstout () yahoo com>
To: fac51 <fac51 () yahoo com>; security-basics () securityfocus com
Sent: Tuesday, October 23, 2007 6:34:01 PM
Subject: Re: Laptop - Full Disk Encryption? (Booting defeats FDE)


How to defeat full disk encryption:  Boot up

A workmate reminded me that the disk is decrypted during startup by the decryption drivers.  It's an all or nothing 
deal.  Once the computer has booted you have a normal; logon prompt, network services (\\notebook\c$), USB devices, 
etc.  Check if the product protects against safeboot (F8) interruption.  A startup password could add security 
depending on how strongly that is implemented, but most users/companies want transparent operation.  

Disk errors and failures are common on laptops, and FDE vendors are very cautious about checking for existing disk 
errors before installation so research the impact FDE has on disk reliablity.  I believe things like defragmentation 
are no longer possible afterwards either (I may be wrong on this).  

Also keep in mind that you're loading more file system filter drivers, and the Windows kernel (2003, XP) has only three 
slots available.   Combining things like AV, DFS, Backup agents, and FDE may cause data corruption.  Any two security 
products loaded may not show an incompatibilty, but three or more could be a problem.  There is a special request MS 
patch to increase the number of kernel slots for file system filters, btw.  

- File system filter drivers http://www.microsoft.com/whdc/driver/filterdrv/default.mspx
- Three file system filter limit patch http://support.microsoft.com/kb/906866

For protection of data on the computer _after_ it's running, you may consider products that offer more granular 
file-level encryption like Credant Technologies or Information Security Corp.  These products encrypt what's important 
(user files and temp files), but allow for standard support, backup and recovery practices.

Bill Stout

----- Original Message ----
From: fac51 <fac51 () yahoo com>
To: security-basics () securityfocus com
Sent: Wednesday, October 17, 2007 2:04:30 AM
Subject: Laptop - Full Disk Encryption?

Does anyone know of a good full disk encryption product.
It will be used for senior management so it must be easy to use and recover if the password is forgotten.

Assumptions are that laptop information security is strongest if data is not saved locally but an audit has revealed 

Technical Controls (proposed)

1. BIOS password. (currently not enforced)
2. Full disk or partition encryption. (currently not enforced)

Is there anything else I should take into account?

I have read that encryption is useless if the password that is used is not strong is this true?

Thanks in advance for any help, greatly appreciated.


Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]