RE: Whole disk encryption

Hi all,
I have recently researched some solutions for our company and was also
completely sold on the whole-disk encryption idea, until I started
looking at the Mobile Guardian products from Credant Technologies. They
claim their product:
"uses intelligent encryption to focus data protection on sensitive
information, without unnecessarily encrypting operating system or
application files."
Their software doesn't touch the MBR, so they claim you benefit from no
worry of BIOS in-compatibility, 3rd party software MBR corruption, etc.
So it supposedly only encrypts your sensitive data, temp files, page
file(s), etc., while leaving the system files and application files
alone. The company also claims a feature called "User level encryption"
for user-specific data, so local admins can't access sensitive data on
HR stations, Accountant pc's, CxO laptops, etc.
We are still in the eval phase, but if the software is everything that
it claims, it would pose a respectable argument against full disk


-----Original Message-----
From: Paul Giddens [mailto:PaulG@xxxxxxxxxxx]
Sent: Thursday, August 31, 2006 11:29 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Whole disk encryption

Hey all,

This post has been circulating for a while and I have a quick question.

GIVEN that, if you are concerned about security and want to use
WHY would you choose to NOT do full disk?

Any solution where you try to encrypt some, but not all of the disk has
weakness in the plan. So why put yourself (& especially end users)
through the hoops of rolling out a half-done solution?

IF you want security, do full disk.
IF you don't want security, don't do any.
IF you want to be annoyed with partial solutions that are not entirely
secure, spend a lot of time figuring out how to do a semi-encrypted.

Just a thought. Great posts from all views! Love reading this forum! :)
Cheers all!

Go leafs go!

paul g | mcse ccna vcp ccsp ccea rsacse security+ A+

-----Original Message-----
From: Galin, Matt (THIP, Corp) [mailto:matt.galin@xxxxxxxxxxxxxxx]
Sent: Thursday, August 31, 2006 5:37 AM
To: matthew patton
Cc: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Whole disk encryption

Forensically speaking, full disk encryption is the only way to address
all aspects of data remnants. Stuff sits in the page file, this isn't
encrypted. Temp files usually are all over the place, unless directory
structure ACL's are very strict.. One can use the workstation security
templates for high security and lock down the directories, but there are
still writable locations on the disk that users can save stuff to.
Unless all you do is use MS office, folder redirection isn't going to do
you much good. These strict ACL's break many applications, especially
all the home grown ones, and the older junk that's in all of our
corporate environments. Volume encryption, such as EFS, TrueCrypt is
MORE secure than nothing, but do you really trust your users, and would
you be willing to put your job on the line when your CIO walks in and
says, we had a laptop stolen, do we have to disclose this to the public?
Full disk encryption has it's problems, most of the larger company's
products like PointSec, Safeboot and Utimaco have methods for
administrative/support logins and key escrow/recovery. They all have
methods to deal with supporting software deployments, i.e. scripting a
number of automatic logins without requiring pre-boot authentication.
All of them have support for SSO, and tokens etc. Only large problems
relate to multi-boot configurations, lilo, hidden partition backup
solutions etc, as these solutions shim the Master Boot Record or
Partition Boot record..

-----Original Message-----
From: matthew patton [mailto:pattonme@xxxxxxxxx]
Sent: Tuesday, August 29, 2006 11:23 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: Re: Whole disk encryption

I am not arguing against whole-disk, but why would you hand a user a
computer/laptop that allows them to write ANYWHERE but in one directory,
their homedir?

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around


This communication, including attachments, is
for the exclusive use of addressee and may contain proprietary,
confidential and/or privileged information. If you are not the intended
recipient, any use, copying, disclosure, dissemination or distribution
strictly prohibited. If you are not the intended recipient, please
the sender immediately by return e-mail, delete this communication and
destroy all copies.




Relevant Pages

  • RE: Whole disk encryption
    ... Subject: Whole disk encryption ... HR stations, Accountant pc's, CxO laptops, etc. ... IF you want security, do full disk. ...
  • Re: Laptop - Full Disk Encryption? (Booting defeats FDE)
    ... The OSs vulnerabilities are still vulnerable, the disk encryption does not help in that regard. ... Just dismount the volume and capture is moot to the guest, ...
  • Re: The ugly side of using disk encryption
    ... The Full/Whole disk encryption solutions certainly add major overhead. ... Norwich University ... EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE ...
  • Friday Futures
    ... PGP To Offer Whole Disk OS X Encryption ... its whole disk encryption software for OS X in the near future. ... multimedia support for a 5 megapixal camera ...
  • Re: List of Full Disc Encryption products
    ... The answer is *not* encryption. ... I'm tired of these nonsense disk encryption discussions. ... you a false sense of security. ... I'll stick with physical security. ...