4

What would be some of the best options for implementing TrueCrypt on all external devices so if any are lost or stolen that the data is not readable to another person but could be managed in a way that users wouldn't accidentally forget their entire hard hard drive by losing an encryption key?

Each machine and user doesn't necessarily need to be encrypted from each other, however if that would be manageable obviously the more security is better always.

This would be for a Windows domain that is primarily Windows XP / Server 2003. However there are future plans to migrate to Windows 7 and Server 2008.

How would you script the install for Active Directory?

Wesley
  • 32,320
  • 9
  • 80
  • 116
Chris Marisic
  • 1,404
  • 8
  • 33
  • 51

3 Answers3

1

You should specify your OS, but why not keep all the keys backed up somewhere secure? Also, I would use a passphrase in combination with the key if you are not already, if the key is on something like a thumbdrive, chances are they might lose that with the laptop (ie, they are in the same bag), making the encryption pretty much useless in the first place.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
  • This was along some of my initial thoughts to use a key file so I could securely store that on server as opposed to any type of token as you've pointed out they would be lost with the system just as likely. – Chris Marisic Jan 04 '10 at 21:07
1

One suggestion could be to encrypt the volume with a encryption key only (no passphrase), but keep the key always encrypted on laptops/workstations with EFS (Windows only), so that in reality both the users password (optionally backup agent key) and the encryption key is used by Truecrypt.

This way, access to the encrypted devices will be "transparent" to the users, and you can manage passwords, EFS backup keys etc centrally without having to worry about lost keys etc

grojo
  • 419
  • 1
  • 7
  • 18
  • That is a very interesting idea since then the key file could be stored secured on the server so if the user required their password reset they would easily be able to receive a new copy of the key file. Is it easy to change the key files with TrueCrypt so we could implement a monthly rotation or similar? – Chris Marisic Jan 04 '10 at 21:05
1

Using Truecrypt in a corporate environment can be challenge. Our strategy was to script the install to enter a generic password, and save the rescue iso for truecrypt to the user's "My Documents" directory. This directory is regularly backed up to a central server for our laptop users. The iso contains the key encrypted with the generic password during the initial install. The user can easily change their passphrase on the laptop, which does not change the actual key used to encrypt the hard drive, which is stored on the isos encoded with the generic password.

If a restore is ever necessary, we burn the rescue CD, have the user boot from the iso, enter the generic password, and then have the option to decrypt the hard drive, or replace the key with the original key. This gives us the option to reset the encryption passphrase, or to decrypt a laptop is a user is unavailable.

SteveM
  • 899
  • 4
  • 6