Re: Whole disk encryption

guys guys guys.

file level encryption and full disc encryption are two different
beasts. Full Disc Encryption are complicated solutions, and require
thorough analysis before selecting a product.

When choosing the encryption production, you need to make sure that it
provides means for secure key recovery and backup.

Full Disc Encryption provides many benefits, some of which are as follows:
1) Everything including the swap space and the temporary files are
encrypted in Full Disc Encryption. Encrypting these files is
important, as they can reveal important confidential data.
2) With Full Disc Encryption, the decision to encrypt which files and
leave which files decrypted is not left up to the users. Everything is
encrypted by default. Thus it is user proof.
3) Data Destruction, and HDD repurposing is easier. Data Destruction
merely requires removal of the encryption key, and the all the
information stored on the HDD is rendered useless. Thus saving tens of
thousands of dollars in physical HDD destruction.
4) Support for pre-boot authentication using bio-metric or secure
tokens or smart-cards.
5) Hardware based Full Disc Encryption is fast and creates minimum
overhead. The employees have NO excuse to NOT encrypt data.

However Full Disc Encryption does NOT replace file / directory level
encryption. This is a because once the FDE drive boots up, all the
data is available in a decrypted format. So if a hacker is able to
connect to laptop over network while it is turned on, Full Disc
Encryption will not help. However if the individual files are
encrypted, the attempt to steal data over network by the hacker may be

Microsoft EFS and TrueCrypt are file/directory level encryption.

In some cases both file level encryption and full disc encryption are
needed. So first you need to get the requirements from the customer.

MS Vista will include a crude form of Full Disc Encryption by the name
of Bit Locker. It can utilize TPM. However key recovery capabilities
are limited.

Business class laptops include a Trusted Platform Module chip. TPM can
be used to seal + wrap the encryption key used for encryption. This
ties the encrypted data to a particular platform, since the each
computer has a unique TPM chip. Hardware Token (USB Key or RSA Token)
can be used to unlock the TPM, to improve the security of the system.

For full disc encryption, I would recommend that we look at
full-featured / enterprise grade products like WaveSys' Embassy Suite
or Secude.

For File/Directory encryption we should look at HP's Protect Tools or
Dell's Security Center. Both of these products come "Free" with their
business class laptops, and fully support TPM. You don't need to
purchase TrueCrypt or similar products.

Please let me know if you have any specific questions.

I would recommend performing a KT analysis of the available Full Disc
Encryption products to select one for your use. This will save you
from increase support cost later on.

I have compiled a list of full disc encryption products which is a
available at:

Also take a look at Seagate's FDE drives, which perform encryption
using a ASIC on the drive, thus relieving the CPU from encryption

On 8/24/06, Dietrich Heusel <dietrich@xxxxxxxxx> wrote:
Hi Sarah,
hi group,

as a security auditor and consultant I normally suggest
(1) to implement as many security as available, but no more security
than really needed.
The need should follow an individual risk classification to all IT
assets / data of a company.

It doesn't make sense to encrypt a folder/partition with none critical
data on it.
But it really makes sense to encrypt folders/partitions of sensitive
data (e.g. internal strategics/business plans, internal financial
statements, company secrets, ...).

Everytime you encrypt / decrypt a file, folder or partition you will have
- file access to the harddisk,
- processor load,
- memory access
- ...
This influences the performance of each system. On some systems more
significant than on others.

So on company wide file servers, an encrypted partition should exist,
there people have to store their classified files aligned to their given
rights and according the company security policy / risk classification.
On mobile devices people should have an encrypted directory or
partition, which is access-protected by password or comparable methods
and can be mounted (dismounted), when needed (not needed) and there they
have to store their classified files according the company security
policy / risk classification.

This strategy follows the given suggestion (1).

Ok. When influenced by real great paranoia, a company also can create a
policy, that all HDD need to be encryted. But this is part of the same
category, like prohibiting the connection of any hardware to any
network. ;-)


>Sarah wrote:
>What is the consensus of the group on the use of whole disk encryption
in an enterprise environment?


"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15