Re: Laptop - Full Disk Encryption? (Booting defeats FDE)



S,

How to defeat full disk encryption: Boot up

A workmate reminded me that the disk is decrypted during startup by the decryption drivers. It's an all or nothing deal. Once the computer has booted you have a normal; logon prompt, network services (\\notebook\c$), USB devices, etc. Check if the product protects against safeboot (F8) interruption. A startup password could add security depending on how strongly that is implemented, but most users/companies want transparent operation.

Disk errors and failures are common on laptops, and FDE vendors are very cautious about checking for existing disk errors before installation so research the impact FDE has on disk reliablity. I believe things like defragmentation are no longer possible afterwards either (I may be wrong on this).

Also keep in mind that you're loading more file system filter drivers, and the Windows kernel (2003, XP) has only three slots available. Combining things like AV, DFS, Backup agents, and FDE may cause data corruption. Any two security products loaded may not show an incompatibilty, but three or more could be a problem. There is a special request MS patch to increase the number of kernel slots for file system filters, btw.

- File system filter drivers http://www.microsoft.com/whdc/driver/filterdrv/default.mspx
- Three file system filter limit patch http://support.microsoft.com/kb/906866

For protection of data on the computer _after_ it's running, you may consider products that offer more granular file-level encryption like Credant Technologies or Information Security Corp. These products encrypt what's important (user files and temp files), but allow for standard support, backup and recovery practices.

Bill Stout


----- Original Message ----
From: fac51 <fac51@xxxxxxxxx>
To: security-basics@xxxxxxxxxxxxxxxxx
Sent: Wednesday, October 17, 2007 2:04:30 AM
Subject: Laptop - Full Disk Encryption?

Does anyone know of a good full disk encryption product.
It will be used for senior management so it must be easy to use and recover if the password is forgotten.

Assumptions are that laptop information security is strongest if data is not saved locally but an audit has revealed otherwise.

Technical Controls (proposed)

1. BIOS password. (currently not enforced)
2. Full disk or partition encryption. (currently not enforced)

Is there anything else I should take into account?

I have read that encryption is useless if the password that is used is not strong is this true?


Thanks in advance for any help, greatly appreciated.

S


____________________________________________________________________________________
Don't let your dream ride pass you by. Make it a reality with Yahoo! Autos.
http://autos.yahoo.com/index.html



Relevant Pages

  • Re: Security Flaw in Popular Disk Encryption Technologies
    ... laptop being stolen, then modern disk encryption is fine. ... Crypto is merely a way of obfuscating data, and we all know the truth ... I don't think you correctly understand the concept of "security through ...
    (freebsd-hackers)
  • RE: Laptop - Full Disk Encryption?
    ... What we implemented for our laptops was Pointsec's whole disk encryption ... coupled with the RSA SecurID instead of letting them use passwords. ... has a remote help feature. ... Laptop - Full Disk Encryption? ...
    (Security-Basics)
  • Disk Encryption with TrueCrypt and Backups
    ... Most companies these days are using disk encryption on their laptops. ... am planning to use TrueCrypt for my laptop. ... I do my backups to an external disk and am assuming that the complete ...
    (comp.security.misc)
  • Re: Buying Chromebooks for their hardware not their OS
    ... I have Ubuntu on my laptop and this is the killer feature. ... I've tried to install Ubuntu with disk encryption on a USB flash drive before but found it unusably slow. ...
    (comp.misc)