Announcement

Collapse
No announcement yet.

Laptop Disk Encryption

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Laptop Disk Encryption

    Hello all,
    I am investigating Laptop Encryption for all the laptops at a client. Does anyone here have experience in this area and have tips to share?

    I've done a little investigation into laptop encryption, and it does not look like a simple thing to do.

    1.) Is it important to encrypt the entire volume? (I think it is).
    2.) How does encryption affect file sharing?
    3.) How are passwords controlled? Are there personal and master passwords?

    Have any of you had good experiences in this area?

    Comments welcome. Thanks!
    --bc,

  • #2
    Re: Laptop Disk Encryption

    Originally posted by big chopper View Post
    Hello all,
    I am investigating Laptop Encryption for all the laptops at a client. Does anyone here have experience in this area and have tips to share?
    I have some experience as an individual, which I am happy to share. I have no experience in deploying this widely or administering more than just my machine.

    I am somewhat familiar with 4 implementations:

    - XP native file encryption
    - PGP 9.x encrypted volumes under XP
    - PGP 8.x encrypted volumes under XP
    - Truecrypt under XP and Linux

    I've done a little investigation into laptop encryption, and it does not look like a simple thing to do.
    Actually I found it to be surprisingly easy.

    1.) Is it important to encrypt the entire volume? (I think it is).
    Absolutely, especially for Windows machines. For example, at work I suffer with a laptop with XP pro and PGP 9.x. PGP 9.x uses a local proxy to encrypt and decrypt email. That operation leaves cleartext in temp files all over the place. These files don't get routinely deleted, much less wiped.

    Example: I send an encrypted email, attaching a file from a mounted encrypted volume. A clear, decrypted version of the attachment file ends up permanently in a "temp" directory on the unencrypted part of the disk. Worse, I don't know about it; I have to specifically look for it an wipe it. This is reason number 1,264 why PGP 9.x is a non-starter.

    In addition, the XP memory manager leaves clear text in the swap file. So you must encrypt the entire disk.

    WARNING! PGP 9.x is buggy as can be. Some of the design decisions are so absurd as to make it a non-starter IMHO. One of the "features" new to 9.x is that, by default, the rules for outgoing email is to send it IN THE CLEAR if a recipient's key is unavailable. PGP calls this "opportunistic encryption". "Opportunistic security breach" would be a better term. This is the level of incompetence of the current PGP regime. I can't stress this enough: STAY AWAY FROM PGP 9.X!!!!!!

    PGP 8.x is mostly OK. The Email engine did have one serious bug (undocumented of course, even years after I notified PGP corporation about it), where if you composed an HTML email, then changed it to plain text, then back to HTML, it would send it in the clear. But that was an edge case that we could live with. The current 9.x bugs and "features" are catastrophic.

    I don't know if the Linux memory manager leaves clear text in the swap file. I have only ever encrypted the entire disk under Linux, so I don't know what the result would be for just encrypting a portion of it.

    2.) How does encryption affect file sharing?
    Using PGP 9.x to mount an encrypted volume under XP: No difference compared to standard share. Once I have mounted the volume (entering my pass phrase to do so), files are shared normally. There is no further authentication or decryption key needed. The decrypted data is being shared, not the encrypted volume. At least that's how I have done it. It may be possible to share the encrypted volume while still encrypted, but I have never tried.

    PGP 9.x encrypting the whole disk and then sharing it: Unknown.

    I *think* that XP can share its encrypted volumes in encrypted form, but I don't remember.

    I created an encrypted volume under XP with Truecrypt. That was sharable in decrypted form.

    My new personal laptop came with XP, which I immediately erased and installed Ubuntu Linux 7.10 "Gutsy". One installation option is to encrypt the entire disk, which I did. I *think* that it uses Truecrypt for this, but I am not sure. I have not yet tried to share any of it. I have not yet inspected the disk to see what data, if any, is leaking (e.g. swap files, temp files).

    3.) How are passwords controlled?
    PGP 9.x, Truecrypt: Stored on disk locally, encrypted under a pass phrase.

    Windows XP native: Unknown

    Are there personal and master passwords?
    PGP lets you create a master password that is optionally split. For example, at a previous job each person's PGP key had a master that was split into 3 fragments. Any 2 fragments could be combined to recreate the master. Supposedly these fragments were secure stored under the individual control of 3 executives, thus ensuring that it would take the agreement of at least 2 of them to recover it. This scheme required each user to encrypt the PGP session key to both his personal key and the master key, so it could be subverted by the user.

    On balance, I can say that:

    - Truecrypt runs flawlessly so far (about 1 year), is free, and is open source, so it can be trusted.

    - PGP 9.x encrypted volumes work fine so far (about 2 years of experience with it). However, PGP 9.x is so buggy in other areas that it can't be trusted. In addition, ANY closed source application inherently can't be trusted. For these reasons PGP 9.x is a non-starter.

    - PGP 8.x encrypted volumes work fine, but as I recall it won't encrypt the entire disk. Plus, it's closed source. Plus, it's no longer available for purchase. Non-starter.

    - XP native encryption is closed source. Non-starter.
    Last edited by liberator; December 7, 2007, 09:14.
    "Men entrusted with power, even those aware of its dangers, tend, particularly when pressured, to slight liberty." - , The Church Committee, April 26 (legislative day, April 14), 1976

    Comment


    • #3
      Re: Laptop Disk Encryption

      Wow, Liberator, thanks for taking the time!

      This is not something I'll be doing anytime soon, but something to investigate over 2008. I'll let you know what we eventually do.
      --BC,

      Comment


      • #4
        Re: Laptop Disk Encryption

        Originally posted by big chopper View Post
        Wow, Liberator, thanks for taking the time!

        This is not something I'll be doing anytime soon, but something to investigate over 2008. I'll let you know what we eventually do.
        --BC,
        I've used with no problems SecureDoc (www.winmagic.com) with tokens for years, and before that PointSec for years as well. I've used it on RAID systems (Raid 1), and SSD drives, SATA, etc.

        As you can guess I have run some pretty strange setups, and never had problems with either system. I have had problems with PGP 9.x though.
        PGP Key: https://defcon.org/html/links/dtangent.html

        Comment


        • #5
          Re: Laptop Disk Encryption

          Originally posted by Dark Tangent View Post
          I've used with no problems SecureDoc (www.winmagic.com) with tokens for years, and before that PointSec for years as well. I've used it on RAID systems (Raid 1), and SSD drives, SATA, etc.

          As you can guess I have run some pretty strange setups, and never had problems with either system. I have had problems with PGP 9.x though.
          I am particularly concerned about USB external drives (we've "lost" some) and USB thumb drives. Ca WinMagic be used to encrypt files on these devices as well?
          --BC,

          Comment


          • #6
            Re: Laptop Disk Encryption

            Originally posted by big chopper View Post
            I am particularly concerned about USB external drives (we've "lost" some) and USB thumb drives. Ca WinMagic be used to encrypt files on these devices as well?
            --BC,
            Yes, and you can set central policies that all removable devices must be encrypted before they can be used, etc.

            Performance hit is around 3% or less, and I've SDocd drives up to a TB. SDoc has been around for a long time, back when there were only three of four serious players in the space. Their original product was meant for Fortezza cards if that gives you a hint as to who the big purchasers were.
            PGP Key: https://defcon.org/html/links/dtangent.html

            Comment


            • #7
              Re: Laptop Disk Encryption

              Originally posted by big chopper View Post
              Hello all,
              I am investigating Laptop Encryption for all the laptops at a client. Does anyone here have experience in this area and have tips to share?

              I've done a little investigation into laptop encryption, and it does not look like a simple thing to do.

              1.) Is it important to encrypt the entire volume? (I think it is).
              2.) How does encryption affect file sharing?
              3.) How are passwords controlled? Are there personal and master passwords?

              Have any of you had good experiences in this area?

              Comments welcome. Thanks!
              --bc,
              Here goes.

              1. It depends on what the goal is. Generally, yes it is better that takes the burden off the user of deciding what to encrypt or not to encrypt.
              2. This depends on the encryption product. Some encrypt/decrypt on the fly. Others encrypt/decrypt on log in. Determine which is your client preference and choose accordingly.
              3. Again product specific. For an enterprise wide deployment, it is preferable to have a product that supports a self help or master password feature. That way if the user does something bad or forgets/looses their pass phrase the Help Desk or IT Security staff can recover for him. if it is a one-off where the user is the only one that knows it and something happens. The data is lost. Most of the better products are extremely hard to brute force without a considerable amount of resources.

              Encourage your client to make sure he backups the information somewhere in an unencrypted form. Mistakes and drive failures do happen and when dealing with encrypted partitions/disk you should plan on that happening.

              Another consideration is whether to use Preboot authentication (PBA) or not. In my opinion this will help determine just how secure your encryption is. Most of the products that I have looked at support either as it is easier to centrally manage a non-PBA dpeloyment as you can usually use AD Domain credentials for encrypting/decryption but a non-PBA deployment is definately less secure than PBA.
              DaKahuna
              ___________________
              Will Hack for Bandwidth

              Comment


              • #8
                Re: Laptop Disk Encryption

                How paranoid are you is the question in a nice way of course?

                There is DriveCrypt from http://www.securstar.com/home.php which is produced by a foreign company and claims to be outside of US NSA imposed back doors. But then again they use common encryption algorithms that everyone else uses, but do go up to 1344 bit encryption.

                There are hard drives with hardware encryption built in like Seagate:
                These are for laptops.

                http://www.seagate.com/www/en-us/pro...us_5400_fde.2/

                Fujitsu makes them too.

                I use PGP for e-mail but don't like their disk encryption. Expect it to be slow at least in my experience.

                You should test anything you encrypt with FTK and Encase otherwise it mite be a waist of time. If these forensic analysis tools can read it then what's the point.

                Then there is always MS Bitlocker, I figured I'd mention it since no one else did. But Vista sucks.

                xor
                Last edited by xor; December 9, 2007, 22:49.
                Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                Comment

                Working...
                X