5

I've been ask to look at full disk encryption software for our mobile users. We're running Windows XP SP3 PCs on a domain and my understanding is that we will not be upgrading to Vista and have no current plans to upgrade to Windows 7. This would seem to rule out Bitlocker. We'd like to look at two different types of solutions:

  1. An Active Directory-integrated solution that syncs Domain accounts and passwords for single-sign on to a PC. This solution should allow Domain Admins to access any encrypted drive and gets bonus points if decryption/encrypted disk access authority can be delegated to non-Domain Admins on the Help Desk.
  2. A solution that runs on each PC individually or in some sort of workgroup mode that allows a single master password to decrypt the laptop's drive. Syncing with Domain user accounts and passwords would also be nice, for end-user single-sign on.

The solution must be reliable (e.g. not lose password sync when a user is forced to change her Domain password on the road.) This is a small shop, so ease of administration is important.

The powers that be may rule out TrueCrypt because of its recent security vulnerability, but for the purpose of the question, I'd like to hear how well it meets these requirements. Same thing with BitLocker - it may be ruled out because of a lack of desire to upgrade Windows, but I'm interested in the job it does on Vista/Windows 7.

Carl C
  • 1,038
  • 3
  • 10
  • 19
  • Can you comment on the "recent security vulnerability" in TrueCrypt? I have no idea what that refers to. Having said that, I do NOT think TrueCrypt is ideal for the enterprise or even small business environment (despite my high respect for it for individual use). For FDE, TC is password-based and does not afford easy administrative management. There's a recovery CD, but that is for damaged MBRs, not for administrative access (i.e., you still need the p/w). TC also doesn't support SSO. BitLocker is pretty good and can be managed centrally (incl recovery keys). – Garrett Aug 04 '09 at 20:15
  • Sorry about my last post being all one big paragraph! Uggh. – Garrett Aug 04 '09 at 20:16
  • The vulnerability is described here: http://www.heise.de/english/newsticker/news/142881. Maybe it's not technically a *vulnerability*, but the likelihood is that it will be seen that way in some part because TrueCrypt is not a commercial product. – Carl C Aug 04 '09 at 21:42
  • Ahh, yes, I read about that as well. Of course, that "vulnerability" affects ANY software-based FDE that does *not* have a hardware component (like a TPM); it would even affect s/w-based FDE apps that DO use a TPM if they're not utilizing the PCR hashes (pre-boot integrity checking). Hence, it doesn't make sense to highlight TrueCrypt specifically for a more general avenue of attack that affects many vendors. (I'll also point out that that avenue of attack doesn't strike me as being very likely.) – Garrett Aug 05 '09 at 14:50
  • 1
    @Carl Campos, the fact that it is an open source product AND which is popular means TrueCrypt is studied more than most if not all commercial rivals. This actually increase its security as you know experts have attempted to poker holes into the product and either failed, or succeeded and the product subsequently fixed. Commercial products security on the other hand is only on the say so of the company, – KTC Aug 06 '09 at 08:24
  • @KTC I agree. The decision makers may not. – Carl C Aug 06 '09 at 16:06

7 Answers7

4

Why, TrueCrypt!

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Using TrueCrypt Without Administrator Privileges

In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.

After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.

.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

Domain access is after the pre-boot login.

However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.

Community
  • 1
nik
  • 7,040
  • 2
  • 24
  • 30
  • TrueCrypt isn't FIPS 140-2 certified, so you will still need to disclose the loss of a TrueCrypt-encrypted storage device with PPSI in most US States. – duffbeer703 Aug 09 '09 at 20:51
2

We use Guardian Edge Encryption Plus where I work. It's quite easy to use and has a single sign-on feature like you are looking for. I've set it up and used it on several laptops and am impressed with how non-interfering it is. Aside from the initial encryption, it's operation is rarely noticed and (in my experience) never impacted the overall performance of the system.

Justin Bennett
  • 188
  • 3
  • 9
2

We are using PGP Whole disk encryption where I work. I was not directly involved with the setup of it so I can't give you a lot of specifics. I do know that it is authenticating against our AD infrastructure, but it does not do single sign-on as the PGP layer happens at boot time before windows boots, and therefore before there is any windows network connectivity.

Alex
  • 6,477
  • 1
  • 23
  • 32
  • 1
    PGP WDE does have a configuration offering SSO but that may not have been implemented for various reasons. – damorg Aug 05 '09 at 16:23
1

We use Credant where I work. It's not very well liked, as the performance impact it has on the system is noticeable unless you negate it with a faster drive such as 7200RPM or SSD.

churnd
  • 3,977
  • 5
  • 33
  • 41
1

It might be useful to point out the products that were ultimately selected via the US Government's "SmartBuy" program. These products were selected to secure DAR (data-at-rest) and were all reviewed based on security needs, price, etc. From the agency's web site:

Products are:
* Mobile Armor LLC’s Data Armor
* Safeboot NV’s Safeboot Device Encryption
* Information Security Corp.’s Secret Agent
* SafeNet Inc.’s SafeNet ProtectDrive
* Encryption Solutions Inc.’s SkyLOCK At-Rest
* SPYRUS Inc.’s Talisman/DS Data Security Suite
* WinMagic Inc.’s SecureDoc
* CREDANT Technologies Inc.’s CREDANTMobile Guardian
* GuardianEdge Technologies’ GuardianEdge.

Conspicuously absent are: PGP WDE (I have a lot of respect for PGP, so I've no idea why they were omitted) and BitLocker (newer product, but deployable and manageable in enterprise environments, and very attractive with machines equipped with TPMs).

Also, I don't see mention of hardware-based solutions, like Seagate's Momentus FDE drive with management software by Wave Systems (or Secude's FinallySecure). New purchases could use these drives while existing machines used s/w-based FDE (I believe FinallySecure provides an integrated management for these mixed environments).

Garrett
  • 211
  • 1
  • 5
  • PGP (rather its creater) and the US Government don't have a good history - they spent years fighting each other (with the government harassing but never formally filing any charges) over the subject of cryptography as a weapon (arms export controls) and the placing of government backdoors in public encryption software. I doubt either party is very interested in dealing with the other. – David Aug 05 '09 at 17:56
  • @David - you're correct that Phil Zimmerman wasn't exactly Mr Popular with the No Such Agency, but I don't think that explains PGP Corp being omitted from the SmartBuy program. After all, government agencies are now relying on encryption products rather than prohibiting them. Further, PhilZ doesn't actually work at PGP nowadays. – Garrett Aug 05 '09 at 18:38
  • A couple of products are missing from that list, as CheckPoint/Pointsec FDE software was definately on the list. BitLocker was initially excluded because of how it handled devices with multiple disk volumes, and the TPM requirement. – duffbeer703 Aug 09 '09 at 20:56
1

We use BeCrypt DiskProtect, which met with the various requirements that were stipulated to us.

I actually work on two different systems / networks, both use BeCrypt. One uses single sign on (unless otherwise specified) and the other is not single sign on.

From a security point of view I beleive full disk encryption with single sign on is daft! Keyloggers, people watching what you are typing, the use of your standard password in all sorts of places mean that once they have one, they have full access to your "secure machine"

I can understand it from an ease and a user point of view, but I beleive having the seperate logons provide just that extra layer of security.

Kip
  • 897
  • 1
  • 12
  • 22
1

We use SafeBoot at work, however I don't think it meets your AD requirements; it has its own server solution with userid/computer store (hence more admin overhead). Does have a list of who can boot each machine.

I find it slower than BitLocker and takes over the whole drive, MBR and all, which I hate, but no serious issues.

JamesR
  • 1,061
  • 5
  • 6
  • 1
    Actually we have this sync'ing with our AD. Safeboot provides these tools. So it will satisfy AD requirements if that component is configured. – keithosu Aug 28 '09 at 20:07