Re: Trade off: Full disk Encryption vs. Necessity



I second Jeffrey's opinion.

Before using FDE products I was using the encrypted file vault
software that comes with HP laptop. And I was always conscious about
about where I was saving the files, and worried about data in the swap
file etc. (I have a scrupulous conscience)

Now I have Utimaco on one laptop and Pointsec on the other. And I
longer worry about where I am saving the files. It is all about the
peace of mind.

I can't wait till laptop manufacturers (HP, Lenovo and Dell) start
installing Seagate's FDE drives on the laptops. I think it will be
awesome. I compile a lot of software of my laptop, and the software
based FDE solution slow down the build process. Seagate's FDE solution
uses a ASIC on drive for encryption, so there is no impact on the CPU.

saqib
http://www.full-disk-encryption.net



On 11/16/06, Jeffrey F. Bloss <jbloss@xxxxxxxxxxxxxxx> wrote:
shyaam@xxxxxxxxx wrote:

> Dear All,
>
> I am sorry if this has been discussed/described anywhere in the
> forums(do let me know the thread if that is the case), but is
> full-disk encryption necessary.

That depends entirely on what your threats and needs are. What's
necessary for one may be unnecessary for another. Whole disk is a great
deterrent to a laptop thief, but meaningless to a network cracker for
instance.

> I mean windows takes care of the OS Security, even if not, it is OS
> files which will come up with every single installation CD. So it
> doesnt need to be encrypted. What are the things to encrypt other
> than the user data ? [just a question, because everyone talks about

Swap files/partitions, registry data, configuration files, certain
pieces of software themselves... anything that might contain any
information that you don't want in another person's hands. Like a full
copy of the super secret company documents you are working on which got
swapped to virtual memory when you opened that spread sheet, or the
serial number for that $50,000 database you purchased to streamline
your business.

> full-disk encryption] What is the overhead involved with full-disk
> encryption and if there is a full disk encryption, is it worth doing

I've installed whole disk encryption on dozens of machines, and run it
on my own laptop. I honestly haven't noticed any difference at all on
any of them, nor have I heard any complaints.

> it? Segate came up with the hardware technique of doing it ? Well if
> it is not breakable it is good, but what are the chances of it being
> broken ?
>
> Laptops get lost or stolen, is full-disk encryption the only solution
> or are there any other solutions that we are not able to think of?

Full disk is the only guaranteed solution. You can try and encrypt data
areas only, but invariably someone will save something where they
shouldn't. That someone could be an inattentive or lazy employee, or
the software or operating system itself.

Hardware solutions like locks and such are meaningless to anyone with a
hammer and another machine to plug an extricated hard drive into.
Assuming your data is the prize of course. If you allow physical access
to the machine, it can and will be compromised. If it's compromised,
the only way to protect your data is to make it inaccessible. And the
only way to do that, is to encrypt it.

--
Hand crafted on 16 November, 2006 at 22:41:29 EST using
only the finest domestic and imported ASCII.

Outside of a dog, a book is a man's best friend.
Inside of a dog, it's too dark to read.

-- Groucho Marx






--
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------



Relevant Pages

  • Re: Why not encrypt the whole Hard Drives?
    ... the review of the 7 Full Disk Encryption is now complete. ... I did an analysis of various FDE solutions to find the best one for my ... recovery capabilities. ...
    (Security-Basics)
  • UPDATE; Encrypted Laptop Poses Legal Dilemma
    ... Encrypted Laptop Poses Legal Dilemma ... stymied by a password-protected encryption program. ... Now Boucher is caught in a cyber-age quandary: ... The government has appealed the ruling. ...
    (alt.true-crime)
  • RE: Need a Full Drive Encryption program
    ... Need a Full Drive Encryption program ... Booting from a linux or other boot disks will defeat most setups, ... Since the BIOS controls the access to the hard drive, upon power-up, the ... > the laptop back to IBM. ...
    (Security-Basics)
  • Re: NTFS File Encryption Question
    ... Unfortunately, they are not written in "novice english", but it's supposed to be possible to import the certificate and key and then be able to decrypt the file on another computer. ... I need to be able to move that USB drive to my laptop and be able to access the EFS encrypted files on the laptop. ... I have attempted to export the certificate and keys from the desktop and import them onto the laptop. ... Now, however, I wanted to be able to read those with my laptop, so I thought I would export the encryption keys to a ".pfx" file, which I did and put on the FAT partition, protected with a password. ...
    (microsoft.public.windowsxp.general)
  • Re: Dell Laptop on Local Area Network?
    ... You don't have to do anything in the router setup, leave the router itself alone unless you are currently operating without encryption. ... On the new laptop, you may have to set some things or you may not, I don't actually have a 1505, and in any case Dell offers multiple WiFi options. ... You may have to set the wireless channel on the Dell to match the router (on some laptops, some WiFi cards and with some software, the laptop will "search" all channels and find your network, in other cases it has to be explicitly set). ...
    (alt.sys.pc-clone.dell)