Whole disk encryption

If you're worried about fragments of temporary files from office, explorer
cache, residual data in sectors when a file is deleted (but not
overwritten many times), and swap-file residual data, then you need disk
encryption at the sector level.

Not to mention current surveys like this:

Vista has 'bitlocker':

There are products around such as: WinMagic, SecureGuard, TrueCrypt,
SecureStar, to name a few.

Some laptop vendors provide hardware option - Dell & HP, but I haven't
looked at enterprise capability.

[I am unaligned to products]

Most products sit below Windows / Linux and add moderate overhead to CPU a
few percent (if doing AES encryption). Don't know about I/O latency.
They can convert disks in-situ.

Standard backup utilities, through O/S continue to work.

Disk-level imaging tools, however, need special consideration.

They can work with passphrases, smartcards and USBkeys that operate pre-boot.

For enterprise use, the key considerations are:

* Recovery, Recovery, Recovery, Help Desk, Support, Auditability
* If user loses usbkey, smartcards or forgets passphrase, you need over-ride
* Encryption needs to extend to USBDrive and CD/RW - DVD/RW (some
products do this as part of same scheme)
* Multi-user login i.e. handle multiple keys
* Group users of USB keys i.e. workgroup crypto-keys
* Auditors - need to be able to break-the-glass - escrow / recovery
* Systems Support - ditto
* Multiple boot / Compartmented operating systems e.g. one environment for
uncontrolled surfing, and another boot image for corporate LAN?

You need a Key Escrow server, or ability to distribute sets of keys to
workstations. In enterprise environment you absolutely need audit / system
support keys in addition to normal (Deployment of sofware is also

If you're concerned about real pedigree of security, then you also need to
be looking for evidence of independant security accreditation such as
FIPS140-2, EAL4 etc.


Andrew Probert
Seurity Consultant (CISSP)
Trusted Solutions Pty Ltd
+61 419303705