Re: Laptop Disk Encryption

I have some experience as an individual, which I am happy to share. I have no experience in deploying this widely or administering more than just my machine.

I am somewhat familiar with 4 implementations:

- XP native file encryption
- PGP 9.x encrypted volumes under XP
- PGP 8.x encrypted volumes under XP
- Truecrypt under XP and Linux

Actually I found it to be surprisingly easy.

Absolutely, especially for Windows machines. For example, at work I suffer with a laptop with XP pro and PGP 9.x. PGP 9.x uses a local proxy to encrypt and decrypt email. That operation leaves cleartext in temp files all over the place. These files don't get routinely deleted, much less wiped.

Example: I send an encrypted email, attaching a file from a mounted encrypted volume. A clear, decrypted version of the attachment file ends up permanently in a "temp" directory on the unencrypted part of the disk. Worse, I don't know about it; I have to specifically look for it an wipe it. This is reason number 1,264 why PGP 9.x is a non-starter.

In addition, the XP memory manager leaves clear text in the swap file. So you must encrypt the entire disk.

WARNING! PGP 9.x is buggy as can be. Some of the design decisions are so absurd as to make it a non-starter IMHO. One of the "features" new to 9.x is that, by default, the rules for outgoing email is to send it IN THE CLEAR if a recipient's key is unavailable. PGP calls this "opportunistic encryption". "Opportunistic security breach" would be a better term. This is the level of incompetence of the current PGP regime. I can't stress this enough: STAY AWAY FROM PGP 9.X!!!!!!

PGP 8.x is mostly OK. The Email engine did have one serious bug (undocumented of course, even years after I notified PGP corporation about it), where if you composed an HTML email, then changed it to plain text, then back to HTML, it would send it in the clear. But that was an edge case that we could live with. The current 9.x bugs and "features" are catastrophic.

I don't know if the Linux memory manager leaves clear text in the swap file. I have only ever encrypted the entire disk under Linux, so I don't know what the result would be for just encrypting a portion of it.

Using PGP 9.x to mount an encrypted volume under XP: No difference compared to standard share. Once I have mounted the volume (entering my pass phrase to do so), files are shared normally. There is no further authentication or decryption key needed. The decrypted data is being shared, not the encrypted volume. At least that's how I have done it. It may be possible to share the encrypted volume while still encrypted, but I have never tried.

PGP 9.x encrypting the whole disk and then sharing it: Unknown.

I *think* that XP can share its encrypted volumes in encrypted form, but I don't remember.

I created an encrypted volume under XP with Truecrypt. That was sharable in decrypted form.

My new personal laptop came with XP, which I immediately erased and installed Ubuntu Linux 7.10 "Gutsy". One installation option is to encrypt the entire disk, which I did. I *think* that it uses Truecrypt for this, but I am not sure. I have not yet tried to share any of it. I have not yet inspected the disk to see what data, if any, is leaking (e.g. swap files, temp files).

PGP 9.x, Truecrypt: Stored on disk locally, encrypted under a pass phrase.

Windows XP native: Unknown

PGP lets you create a master password that is optionally split. For example, at a previous job each person's PGP key had a master that was split into 3 fragments. Any 2 fragments could be combined to recreate the master. Supposedly these fragments were secure stored under the individual control of 3 executives, thus ensuring that it would take the agreement of at least 2 of them to recover it. This scheme required each user to encrypt the PGP session key to both his personal key and the master key, so it could be subverted by the user.

On balance, I can say that:

- Truecrypt runs flawlessly so far (about 1 year), is free, and is open source, so it can be trusted.

- PGP 9.x encrypted volumes work fine so far (about 2 years of experience with it). However, PGP 9.x is so buggy in other areas that it can't be trusted. In addition, ANY closed source application inherently can't be trusted. For these reasons PGP 9.x is a non-starter.

- PGP 8.x encrypted volumes work fine, but as I recall it won't encrypt the entire disk. Plus, it's closed source. Plus, it's no longer available for purchase. Non-starter.

- XP native encryption is closed source. Non-starter.

Re: Laptop Disk Encryption

Wow, Liberator, thanks for taking the time!

This is not something I'll be doing anytime soon, but something to investigate over 2008. I'll let you know what we eventually do.
--BC,

Re: Laptop Disk Encryption

I've used with no problems SecureDoc (www.winmagic.com) with tokens for years, and before that PointSec for years as well. I've used it on RAID systems (Raid 1), and SSD drives, SATA, etc.

As you can guess I have run some pretty strange setups, and never had problems with either system. I have had problems with PGP 9.x though.

Re: Laptop Disk Encryption

I am particularly concerned about USB external drives (we've "lost" some) and USB thumb drives. Ca WinMagic be used to encrypt files on these devices as well?
--BC,

Re: Laptop Disk Encryption

Yes, and you can set central policies that all removable devices must be encrypted before they can be used, etc.

Performance hit is around 3% or less, and I've SDocd drives up to a TB. SDoc has been around for a long time, back when there were only three of four serious players in the space. Their original product was meant for Fortezza cards if that gives you a hint as to who the big purchasers were.

Re: Laptop Disk Encryption

Here goes.

1. It depends on what the goal is. Generally, yes it is better that takes the burden off the user of deciding what to encrypt or not to encrypt.
2. This depends on the encryption product. Some encrypt/decrypt on the fly. Others encrypt/decrypt on log in. Determine which is your client preference and choose accordingly.
3. Again product specific. For an enterprise wide deployment, it is preferable to have a product that supports a self help or master password feature. That way if the user does something bad or forgets/looses their pass phrase the Help Desk or IT Security staff can recover for him. if it is a one-off where the user is the only one that knows it and something happens. The data is lost. Most of the better products are extremely hard to brute force without a considerable amount of resources.

Encourage your client to make sure he backups the information somewhere in an unencrypted form. Mistakes and drive failures do happen and when dealing with encrypted partitions/disk you should plan on that happening.

Another consideration is whether to use Preboot authentication (PBA) or not. In my opinion this will help determine just how secure your encryption is. Most of the products that I have looked at support either as it is easier to centrally manage a non-PBA dpeloyment as you can usually use AD Domain credentials for encrypting/decryption but a non-PBA deployment is definately less secure than PBA.

Re: Laptop Disk Encryption

How paranoid are you is the question in a nice way of course?

There is DriveCrypt from http://www.securstar.com/home.php which is produced by a foreign company and claims to be outside of US NSA imposed back doors. But then again they use common encryption algorithms that everyone else uses, but do go up to 1344 bit encryption.

There are hard drives with hardware encryption built in like Seagate:
These are for laptops.

http://www.seagate.com/www/en-us/pro...us_5400_fde.2/

Fujitsu makes them too.

I use PGP for e-mail but don't like their disk encryption. Expect it to be slow at least in my experience.

You should test anything you encrypt with FTK and Encase otherwise it mite be a waist of time. If these forensic analysis tools can read it then what's the point.

Then there is always MS Bitlocker, I figured I'd mention it since no one else did. But Vista sucks.

xor