6

I will soon be purchasing a number of laptops running Windows 7 for our mobile staff. Due to the nature of our business I will need drive encryption. Windows BitLocker seems the obvious choice, but it looks like I need to purchase either Windows 7 Enterprise or Ultimate editions to get it. Can anyone offer suggestions on the best course of action:

a) Use BitLocker, bite the bullet and pay to upgrade to Enterprise/Ultimate

b) Pay for another 3rd party drive encryption product that is cheaper (suggestions appreciated)

c) Use a free drive encryption product such as TrueCrypt

Ideally I am also interested in 'real world' experience from people who are using drive encryption software and any pitfalls to look out for.

Many thanks in advance...

UPDATE

Decided to go with TrueCrypt for the following reasons:

a) The product has a good track record

b) I am not managing a large quantity of laptops so integration with Active Directory, Management consoles etc is not a huge benefit

c) Although eks did make a good point about Evil Maid (EM) attacks, our data is not that desirable to consider it a major factor

d) The cost (free) is a big plus but not the primary motivator

The next problem I face is imaging (Acronis/Ghost/..) encrypted drives will not work unless I perform sector-by-sector imaging. That means an 80Gb encrypted partition creates an 80Gb image file :(

Chris Driver
  • 512
  • 1
  • 5
  • 14
  • I'm also interested in 'real world' experience with these technologies. For example, the user experience (from an end user point of view) and performance impact of using the various technologies. – Dave Drager Jan 19 '10 at 13:40
  • 1
    Chris, when you've made your decision and you've implemented it, after a couple of months "live" with your chosen option would you update/comment on the question saying what you did and what the experience was like? It would be *very* interesting. – T.J. Crowder Jan 19 '10 at 14:58
  • Related (but not duplicate): http://serverfault.com/questions/72298/truecrypt-encryption-tool – T.J. Crowder Jan 19 '10 at 15:03
  • Thanks for the update, Chris. Very interesting. On the imaging: You could always compress the resulting image, but obviously properly encrypted data doesn't compress well. :-) If your data doesn't need to be encrypted when backed up (e.g., you handle security differently), you could dual boot (directly or via boot media) to a minimal linux install (which gets you past the TrueCrypt stage, since it's in the loader) and then use any of several linux disk-cloning utilities (or even `dd`) to image and compress the unencrypted data. Be interested to know how things are six months into it, etc. – T.J. Crowder Jan 28 '10 at 17:02
  • Thanks for the update on why you chose what you chose. I'm suprised cost was a factor as you get enterprise with SA – Jim B May 19 '10 at 14:16
  • @Jim B - My Windows licenses are OEM ones included with the laptop not Software Assurance versions. Therefore cost is a factor as I would either need to upgrade the OEM Windows version to Enterprise or purchase SA for each laptop. – Chris Driver May 19 '10 at 16:28
  • @Chris- you cannot upgrade to enterprise it is only available via SA. I would suggest you take a look at SA as it gives you other benefits as well (and at that point you might end up going to enterprise since it's part of the SA purchase SA prive is usually on the order of $30) – Jim B May 19 '10 at 20:08
  • @Jim B - Thanks for the advice. I'll look into it... – Chris Driver May 20 '10 at 09:39

9 Answers9

4

Truecrypt : http://www.truecrypt.org/

will encrypt mobile, internal drives completely, you can even encrypt the whole system partition on the fly and then set a boot loader password - gives you more security on laptops.

and its opensource - free.

http://4sysops.com/archives/system-drive-encryption-truecrypt-5-vs-bitlocker/

Bitlocker is good too, but due to budget i would suggest use truecrypt.

Mutahir
  • 2,347
  • 2
  • 32
  • 42
  • 1
    @rihatum Thanks for the reply. Do you use TrueCrypt yourself? Any issues with it? – Chris Driver Jan 19 '10 at 12:50
  • My thought is that Bitlocker would be more interesting if you already do automatic deployment of laptops, have volume license agreements and an up-to-date Windows Server 2008+ infrastructure running... then it would deploy with basically zero imppact and be an obvious choice especially with the AD integration for recovery - but most smaller shops I know use TrueCrypt and love it. – Oskar Duveborn Jan 19 '10 at 13:14
  • TrueCrypt is *source-available*, not Open Source, see http://en.wikipedia.org/wiki/TrueCrypt#Licensing_and_Open_Source_status and https://tails.boum.org/doc/encryption_and_privacy/truecrypt/ – ian Feb 07 '14 at 13:18
4

With Evil Maid (EM) attack tools now available for TrueCrypt, I'd go for BitLocker if I had the budget, because EM-like attacks are quite more complicated, and it integrates better with AD etc as Oskar Duveborn stated.

I suggest you read the articles of Joanna Rutkowska on both products :

http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html

But if you're sure that your coworkers will always take good care of their laptops - with safety case and all, you can go for TrueCrypt.

Side notes

  • remember that full-disk encryption won't protect your data from inside [the OS], e.g. if your computer gets corrupted by a virus while running.

  • remember that technical solutions is just a part of the security chain (see http://xkcd.com/538/ for details).

Edit (01-20-2010)

Additionnal details about BitLocker and EM attacks :

  • Note than BitLocker will be more resilient than TrueCrypt only if used on a TPM-enabled computer.

  • There are ways of defeating BitLocker+TPM (article, paper) but no public tools available AFAIK. So while BitLocker is more resilient to opportunistic EM attacks (it takes more to re-develop a spoofed user interaction screen for BitLocker than just copy the EM tool for trucrypt on a USB key), it's not 100% bulletproof (no solution is).

user9437
  • 256
  • 1
  • 3
  • @eks Good observation – Chris Driver Jan 20 '10 at 10:29
  • With respect to the final point, the least detectable outcome of the fraunhofer attack is that the user is confronted with the [bitlocker tamper screen](http://i.stack.imgur.com/Bljnf.jpg). In other words, a boot path tampering evil-maid attack (i.e. the fraunhofer attack) is easily detected by a trained user on a BitLocker + TPM system. There's a Q&A on simulating such an attack [over on security.se.com](http://security.stackexchange.com/q/30818/12100). – alx9r Apr 30 '13 at 21:18
2

While TrueCrypt is appropriate for a small office / home office scenario, there are many reasons to go for a paid solution in a larger business:

  1. Management console
  2. Integration with Active Directory, so that end users only have to log on once.
  3. Remote password resets. Will an end-user need to call you for a password reset?
  4. Remote kill switch. Some offer this as well.

I'm currently reviewing a couple 3rd party solutions, McAfee Total Protection for Data (formerly known as SafeBoot), and Symantec Endpoint Encyrption.

One reason I did not look into BitLocker is that I have several machines already on Vista Business and I did not want to upgrade / re-provision them.

I also looked into the PGP solution but it requires a dedicated server or certified virtual server solution to manage the software and this was too much complexity for my scenario.

Tom Willwerth
  • 535
  • 5
  • 12
2

Word of advice. I've just found out that TrueCrypt license contains a legal "trap" that allows them to sue any user of the software, even the user is following 100% of license terms.

http://lists.freedesktop.org/archives/distributions/2008-October/000276.html

They were informed about it a long time ago by Fedora and did not fixed it in the current version, so it seems to me it is in fact a deliberate trap.

kubanczyk
  • 13,502
  • 5
  • 40
  • 55
1

No issues with truecrypt whatosever ; as long as you follow the steps on there websites for different levels of encryption.

As far as bitlocker, as Oskar has already mentioned that it will be easier to manage - but if due to cost you can't go upto bitlocker you can always use truecrypt - very good.

Mutahir
  • 2,347
  • 2
  • 32
  • 42
  • Have you had direct experience using it to completely encrypt a computer's drive, including the system partition? What kind of speed impacts (if any) did you see? Was your experience on a Windows system? – T.J. Crowder Jan 19 '10 at 14:42
1

PGP encryption has a good encryption product for me. You can try it. It provides multi encryption solutions and support all versions of windows 7.

sky100
  • 504
  • 2
  • 3
  • @sky100 So have you have been actively using PGP drive encryption? Tom Willwerth (in another answer to my question) mentions that PGP requires a dedicated server / virtual server for management. Is this the case for you? – Chris Driver Jan 20 '10 at 10:20
  • @Chris Driver Check out www.pgp.com/products/wholediskencryption See "Centralized Management Requirements" under the Tech Specs. This PGP Universal Server is what I was referring to. – Tom Willwerth Jan 20 '10 at 14:24
  • @Tom Willwerth Thx for the URL and info – Chris Driver Jan 20 '10 at 15:42
1

To answer the second part of your question Microsoft have variously claimed a CPU overhead of 5-6% for Workstation\Notebooks and 10-15% for servers with Bitlocker. Performance impact on the HDD depends on how powerful your CPU is, for most current gen notebook/desktop CPU's and drive systems the impact is not noticeable. I've run similar systems with and without Bitlocker and this has definitely been my experience.

However this is dependent on the platform - Alexander Weiß at 4 Sysops did some performance comparisons and found a 29% to 50% reduction in sequential hdd transfer rate for an Atom powered netbook, this is entirely due to the weaknesses of the low power netbook CPU. Similar reductions are likely if you have an insanely fast SSD - the higher data rates will put a much more severe load on the CPU.

Helvick
  • 19,579
  • 4
  • 37
  • 55
1

The next problem I face is imaging (Acronis/Ghost/..) encrypted drives will not work unless I perform sector-by-sector imaging. That means an 80Gb encrypted partition creates an 80Gb image file :(

Just run Backup from the running machine so You will have an unencrypted image. Acronis should be able to do it if I'm not wrong. If You still need security for the image too, You can put it in the safe or on an encrypted server disk. I would go with unencrypted backups for the data because I like failsafe backups.

If quick restore of the system is needed, You will probably not get around imaging the encrypted drive.

deploymonkey
  • 588
  • 3
  • 11
0

Whole-disk encryption is probably not what you want. If you sign in to your computer, whole-disk encryption simply decrypts everything... at that time. Meaning any malware has access to everything the moment you sign in.

A more granular, reactive file-level encryption might be helpful.

Disclosure: I work for a file-level encryption company, not going to recommend a particular solution, but I do advise looking into alternatives to whole-disk.

Erik Aronesty
  • 284
  • 2
  • 7