Re: Whole disk encryption



We're in the middle of a safeboot deployment that went through PoC
very, very nicely.

For anyone unsure about file/directory encryption versus full-disk:
Take your laptop with all the normal junk you can expect to have open
(documents, web sessions, etc) and kill the power without a stateful
shutdown. I'd suggest pulling the battery from a hibernating laptop
without plugging it into the wall first. Mount that drive up and
start digging through your hibernation and page files and temp
directories. It won't be long before you're ready to go full disk,
unless you have an extremely well defined environment that is already
using multiple third party apps to control those vectors.

On 8/28/06, chuck <chuck@xxxxxxxxxxxxxxx> wrote:
> I agree with Brad. We used Securedoc and encrypted 100 percent of our laptops, and it went off without a hitch. Another division used Safeboot and had similar results.
>
> We found it to be less troublesome and less risky to encrypt the whole drive, and we can say with 100% certainty that if a laptop is lost, the data was encrypted. That's a nice feeling, and avoids a lot of uncomfortable post-mortem questions from Sr management and Legal if one is lost.
>
> Also, the data is not the only target - on pen tests I have stolen, trojaned, and returned a laptop, then harvested passwords and other info from it.
>
> My 2 cents - Do the whole disk.
>
>
> BlackBerry service provided by Nextel
>
> -----Original Message-----
> From: "Brad Judy" <Brad.Judy@xxxxxxxxxxxx>
> Date: Fri, 25 Aug 2006 09:24:30
> To:<focus-ms@xxxxxxxxxxxxxxxxx>
> Subject: RE: Whole disk encryption
>
>
> > Why? You only need to protect the data not the whole OS. It
> > causes too many problems. I don't recommend creating a
> > headache for yourself when you only need to protect some data.
>
> Yes, you only need to protect data, but can you guarantee that data is
> only being written to the encrypted part of the disk? If the user can
> readily write to a non-encrypted space, then you've lost much of the
> benefit of the encryption because if a laptop is lost/stolen you can
> only say "I'm pretty sure the data was encrypted". Check with your
> legal department and see how they feel about "pretty sure". :-)
>
> Brad Judy
>
> ITS - UCB
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: Need a Full Drive Encryption program
    ... have products that can do either pre-boot authentication with full disk ... encryption or just folder encryption (they recently released V Disk that ... >> data on his and the other executives laptop safe if it is ever stolen. ...
    (Security-Basics)
  • Re: Disc encryptian.
    ... Encryption is not going to protect you when the system is ... Except that many laptop users suspend or hibernate their machines ... the disk is protected; ...
    (Debian-User)
  • UPDATE; Encrypted Laptop Poses Legal Dilemma
    ... Encrypted Laptop Poses Legal Dilemma ... stymied by a password-protected encryption program. ... Now Boucher is caught in a cyber-age quandary: ... The government has appealed the ruling. ...
    (alt.true-crime)
  • RE: Need a Full Drive Encryption program
    ... Need a Full Drive Encryption program ... Booting from a linux or other boot disks will defeat most setups, ... Since the BIOS controls the access to the hard drive, upon power-up, the ... > the laptop back to IBM. ...
    (Security-Basics)
  • Re: NTFS File Encryption Question
    ... Unfortunately, they are not written in "novice english", but it's supposed to be possible to import the certificate and key and then be able to decrypt the file on another computer. ... I need to be able to move that USB drive to my laptop and be able to access the EFS encrypted files on the laptop. ... I have attempted to export the certificate and keys from the desktop and import them onto the laptop. ... Now, however, I wanted to be able to read those with my laptop, so I thought I would export the encryption keys to a ".pfx" file, which I did and put on the FAT partition, protected with a password. ...
    (microsoft.public.windowsxp.general)