RE: Whole disk encryption
- From: "Mason, Samuel" <SMason@xxxxxx>
- Date: Fri, 25 Aug 2006 10:03:10 -0600
-----Original Message-----
From: Erik Anderson [mailto:eanders@xxxxxxxxx]
Sent: Thursday, August 24, 2006 12:07 PM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Whole disk encryption
-----Original Message-----in
From: Sarah [mailto:sfelske@xxxxxxxx]
Sent: Thursday, August 24, 2006 11:48 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Whole disk encryption
What is the consensus of the group on the use of whole disk encryption
an enterprise environment?
Why? You only need to protect the data not the whole OS. It causes tooyou >only need to protect some data.
many problems. I don't recommend creating a headache for yourself when
I recommend creating an encrypted partition and mounting an encryptedfile
system on that partition.
In addition there are plenty of 3rd party software packages out therethat
have encrypted filter drivers or will allow you to create an encrypted
virtual disk. You use that disk just as any secondary disk. The
encryption becomes transparent to you.
The problem comes when data that would be encrypted in a folder or
partition is opened and used in OS swap space or other temporary
containers. You can't tell how long that data, now decrypted, will
remain accessible. I'll let you all decide how simple or hard it would
be to access this data. I know I've been surprised how much you can pull
back with forensic tools.
Each system (full-disk and file/folder-level) have their bonuses and
drawbacks but if people are truly concerned about encrypting their data
they should consider full-disk encryption. If simple static storage of
"finished" data is all that is required then perhaps file/folder
encryption is enough but if you have users that may not save things in
the correct, encrypted folder or would be required to encrypt the
document themselves perhaps full disk is better to eliminate that
variable.
Make sure to backup the keys somewhere or you will permanently loose
everything if something happens to the key.
Amen brother. Many of the full-disk systems I've been reviewing have a
centralized management console that would allow an admin to either
recreate the key or access the encrypted system with an "admin key" to
help alleviate the "I forgot my password" issues.
Samuel Mason, CISSP
Data Security Specialist
Montana State Fund
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Prev by Date: RE: Whole disk encryption
- Next by Date: RE: Whole disk encryption
- Previous by thread: Re: Whole disk encryption
- Next by thread: RE: Whole disk encryption
- Index(es):
Relevant Pages
|
