Re: Whole disk encryption



We use Utimaco disk encryption for whole disk and we've never ran into
any production issues. We are a smaller office, but we've also done
large deployments which have similar experiences. Law enforcement is a
huge fan of this technology. We use hardware tokens with certificates
for authentication.

Brad is right, it really is the way to go, sensitive data is stored
all over the disk in many cases. Whole disk encryption solves the
problem.

-J

On 8/28/06, chuck <chuck@xxxxxxxxxxxxxxx> wrote:
I agree with Brad. We used Securedoc and encrypted 100 percent of our laptops, and it went off without a hitch. Another division used Safeboot and had similar results.

We found it to be less troublesome and less risky to encrypt the whole drive, and we can say with 100% certainty that if a laptop is lost, the data was encrypted. That's a nice feeling, and avoids a lot of uncomfortable post-mortem questions from Sr management and Legal if one is lost.

Also, the data is not the only target - on pen tests I have stolen, trojaned, and returned a laptop, then harvested passwords and other info from it.

My 2 cents - Do the whole disk.


BlackBerry service provided by Nextel

-----Original Message-----
From: "Brad Judy" <Brad.Judy@xxxxxxxxxxxx>
Date: Fri, 25 Aug 2006 09:24:30
To:<focus-ms@xxxxxxxxxxxxxxxxx>
Subject: RE: Whole disk encryption


> Why? You only need to protect the data not the whole OS. It
> causes too many problems. I don't recommend creating a
> headache for yourself when you only need to protect some data.

Yes, you only need to protect data, but can you guarantee that data is
only being written to the encrypted part of the disk? If the user can
readily write to a non-encrypted space, then you've lost much of the
benefit of the encryption because if a laptop is lost/stolen you can
only say "I'm pretty sure the data was encrypted". Check with your
legal department and see how they feel about "pretty sure". :-)

Brad Judy

ITS - UCB

---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: HD encryption
    ... Since disk encryption affects the entire physical disk, ... files or folders. ... > the boot process without preboot authentication? ...
    (microsoft.public.win2000.security)
  • Re: Planning for Disk Encryption
    ... single bad sector will have a much larger impact than itself and might ... ruin the whole disk. ... This is a single point of failure in luks whole disk encryption, to plan for this you must have current backups, and backup the luks headers. ...
    (Debian-User)
  • Re: Suspend/resume works in 2.6.29-0.19.rc0.git9.fc11.i686, but fails in later versions
    ... suspending works in init=/bin/bash mode? ... I forgot to mention that I'm running on a crypted disk. ... using "1" as a kernel parameter, and put the laptop to suspend by ... Could it be related to my disk encryption? ...
    (Linux-Kernel)
  • Re: Booting a GELI encrypted hard disk
    ... Software based disk encryption works on partitions. ... I would assume as far as reading the / partition to get the kernel etc... ... You will be able to see that there is a BSD style slice on the disk just by ...
    (freebsd-questions)
  • Re: best filesystem for logical volume ?
    ... Full disk encryption ... system main usage. ... I bought a new disk and want to ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)