Security Basics mailing list archives
Re: Why not encrypt the whole Hard Drives?
From: "Saqib Ali" <docbook.xml () gmail com>
Date: Fri, 3 Nov 2006 15:38:37 -0800
OK, the review of the 7 Full Disk Encryption is now complete. The results are at: http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250 I did an analysis of various FDE solutions to find the best one for my needs. The key thing I was interested was that it must be AES 256, reasonably fast, inexpensive, and offer key recovery in case of password loss. Compusec is great for home / personal use. It is cheap i.e. $0.00 (Free), and does not slow down the computer as much as the other products. But that is because it only support 128 bit AES, which is a major drawback as most enterprise settings require at least 256 bit AES. Compusec also has a great online support forum where you can get your questions answered by Compusec employees and other experienced users. I ended up purchasing both Utimaco and Pointsec. They are excellent products. They both support AES 256. The downside is that they are little bit expensive (Pointsec:$170 ; Utimaco:$200) and slow. The best thing is they both offer great password / encryption key recovery capabilities. You can create a recovery disk with both products. They also offer password recovery using Challenge / Response sequence, where the IT Helpdesk can perform a Challenge/Response sequence with the user to help them recover the password or reset it to a new one. Off course Challenge/Response password recovery is the NOT most secure, especially if the user is remote, but you have the option to disable it on the laptop if you want. . saqib http://www.full-disk-encryption.net On 11/1/06, Jason Muskat, GCFA, GCUX, de VE3TSJ <Jason () techdude ca> wrote:
Hello, We deployed FDE on every laptop (about 150) in the organization I work for including my own. The FDE software installs itself on every drive wished including the boot drive "c:" and requires the use of a pre-boot-loader before Windows is loaded. I found no discernible speed difference. The pre-boot-loader is very transparent to Windows. The only issues I have come across is one HDD became corrupted. Windows Automated Recovery would have easily fixed this issue. Due to an Admin oversight an Admin Key, which allows one to boot a CD from the FDE boot-loader, was missing. At that point the drive became very difficult to recover. So much, it was low-level formatted and backups were restored to a new drive. Key Management is easy but very procedure driven. If parts of the procedure are skipped issues such as a simple disk recovery become very difficult. Regards, -- Jason Muskat | GCFA, GCUX - de VE3TSJ ____________________________ TechDude e. Jason () TechDude Ca m. 416 .414 .9934 http://TechDude.Ca/ > From: Saqib Ali <docbook.xml () gmail com> > Date: Thu, 12 Oct 2006 15:00:28 -0700 > To: security-basics <security-basics () securityfocus com> > Subject: Why not encrypt the whole Hard Drives? > Resent-From: <security-basics-return-41391 () securityfocus com> > Resent-Date: Fri, 13 Oct 2006 12:51:58 -0600 (MDT) > > Security Breaches Data reveals that most of the data leaks were caused > due to stolen laptops, which can be easily mitigated by using full > disk encryption on the laptop. So why not encrypt the whole drive? > Cost and performance impact are the usual arguments. Tests show that > access time increases by 56%-85% after encryption. And the cost of FDE > software usually ranges from $0-$300 depending on how good of a > software and support you wanna get. So is it worth it? > > Data from tests (performance impact) of the FDE products: > http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250 > > -- > Saqib Ali, CISSP, ISSAP > http://www.full-disk-encryption.net > > --------------------------------------------------------------------------- > This list is sponsored by: Norwich University > > EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE > The NSA has designated Norwich University a center of Academic Excellence > in Information Security. Our program offers unparalleled Infosec management > education and the case study affords you unmatched consulting experience. > Using interactive e-Learning technology, you can earn this esteemed degree, > without disrupting your career or home life. > > http://www.msia.norwich.edu/secfocus > --------------------------------------------------------------------------- >
-- Saqib Ali, CISSP, ISSAP http://www.full-disk-encryption.net --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Re: Why not encrypt the whole Hard Drives? Jason Muskat, GCFA, GCUX, de VE3TSJ (Nov 03)
- Re: Why not encrypt the whole Hard Drives? Saqib Ali (Nov 06)
- <Possible follow-ups>
- Re: Why not encrypt the whole Hard Drives? Kurt Buff (Nov 07)
- Re: Why not encrypt the whole Hard Drives? Saqib Ali (Nov 07)
- Re: Why not encrypt the whole Hard Drives? Alexander Klimov (Nov 10)
- Re: Why not encrypt the whole Hard Drives? Saqib Ali (Nov 07)