Whole disk encryption



If you're worried about fragments of temporary files from office, explorer
cache, residual data in sectors when a file is deleted (but not
overwritten many times), and swap-file residual data, then you need disk
encryption at the sector level.

Not to mention current surveys like this:
http://news.com.com/Confidential+data+really+is+at+risk/2010-1029_3-6108603.html?tag=html.alert

Vista has 'bitlocker':
http://www.apcstart.com/site/pschnackenburg/2006/08/1066/your-money-or-your-hard-drive-vistas-full-disk-encryption-benchmarked

There are products around such as: WinMagic, SecureGuard, TrueCrypt,
SecureStar, to name a few.

Some laptop vendors provide hardware option - Dell & HP, but I haven't
looked at enterprise capability.

[I am unaligned to products]

Most products sit below Windows / Linux and add moderate overhead to CPU a
few percent (if doing AES encryption). Don't know about I/O latency.
They can convert disks in-situ.

Standard backup utilities, through O/S continue to work.

Disk-level imaging tools, however, need special consideration.

They can work with passphrases, smartcards and USBkeys that operate pre-boot.

For enterprise use, the key considerations are:

* Recovery, Recovery, Recovery, Help Desk, Support, Auditability
* If user loses usbkey, smartcards or forgets passphrase, you need over-ride
* Encryption needs to extend to USBDrive and CD/RW - DVD/RW (some
products do this as part of same scheme)
* Multi-user login i.e. handle multiple keys
* Group users of USB keys i.e. workgroup crypto-keys
* Auditors - need to be able to break-the-glass - escrow / recovery
* Systems Support - ditto
* Multiple boot / Compartmented operating systems e.g. one environment for
uncontrolled surfing, and another boot image for corporate LAN?

You need a Key Escrow server, or ability to distribute sets of keys to
workstations. In enterprise environment you absolutely need audit / system
support keys in addition to normal (Deployment of sofware is also
consideration.)

If you're concerned about real pedigree of security, then you also need to
be looking for evidence of independant security accreditation such as
FIPS140-2, EAL4 etc.

Enjoy!!


Andrew Probert
Seurity Consultant (CISSP)
Trusted Solutions Pty Ltd
+61 419303705
Australia



---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: FUD about CGD and GBDE
    ... So it is actually where $n$ is the number of key--key sectors: ... different keys to try. ... There will not be very many false positives when you are brute ... Disklabels for example have a checksum. ...
    (freebsd-hackers)
  • Re: FUD about CGD and GBDE
    ... That assumption is wrong, sectors are not completely independent data, ... they are connected in such a way that if you want the entire disk, ... with one of 2^128 possible keys. ... How many disk variations exist? ...
    (freebsd-hackers)
  • Re: "Cannot Install This Hardware" "Access is Denied"
    ... I have checked for security softwares that may have blocked access to ... other keys. ... I found that my hard-drive has bad sectors. ... Is it possible that windows registry is stored on the disk and it ...
    (microsoft.public.windowsxp.hardware)
  • SendKeys method only works when IE initially closed
    ... I'm using the following to have Internet Explorer clean out it's ... When Internet Explorer is not already running, ... However, if IE is already running, the keys get assigned to the window ...
    (microsoft.public.scripting.vbscript)