Re: Laptop - Full Disk Encryption? (Booting defeats FDE)



S,

How to defeat full disk encryption: Boot up

A workmate reminded me that the disk is decrypted during startup by the decryption drivers. It's an all or nothing deal. Once the computer has booted you have a normal; logon prompt, network services (\\notebook\c$), USB devices, etc. Check if the product protects against safeboot (F8) interruption. A startup password could add security depending on how strongly that is implemented, but most users/companies want transparent operation.

Disk errors and failures are common on laptops, and FDE vendors are very cautious about checking for existing disk errors before installation so research the impact FDE has on disk reliablity. I believe things like defragmentation are no longer possible afterwards either (I may be wrong on this).

Also keep in mind that you're loading more file system filter drivers, and the Windows kernel (2003, XP) has only three slots available. Combining things like AV, DFS, Backup agents, and FDE may cause data corruption. Any two security products loaded may not show an incompatibilty, but three or more could be a problem. There is a special request MS patch to increase the number of kernel slots for file system filters, btw.

- File system filter drivers http://www.microsoft.com/whdc/driver/filterdrv/default.mspx
- Three file system filter limit patch http://support.microsoft.com/kb/906866

For protection of data on the computer _after_ it's running, you may consider products that offer more granular file-level encryption like Credant Technologies or Information Security Corp. These products encrypt what's important (user files and temp files), but allow for standard support, backup and recovery practices.

Bill Stout


----- Original Message ----
From: fac51 <fac51@xxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Wednesday, October 17, 2007 2:04:30 AM
Subject: Laptop - Full Disk Encryption?

Does anyone know of a good full disk encryption product.
It will be used for senior management so it must be easy to use and recover if the password is forgotten.

Assumptions are that laptop information security is strongest if data is not saved locally but an audit has revealed otherwise.

Technical Controls (proposed)

1. BIOS password. (currently not enforced)
2. Full disk or partition encryption. (currently not enforced)

Is there anything else I should take into account?

I have read that encryption is useless if the password that is used is not strong is this true?


Thanks in advance for any help, greatly appreciated.

S


____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html