Best whole disk encryption setup
Results 1 to 7 of 7

Thread: Best whole disk encryption setup

  1. #1
    Junior Member
    Join Date
    Apr 2009
    Posts
    1

    Best whole disk encryption setup

    Hello everyone,

    I need a full disk encryption system.

    Windows Vista BitLocker I don't trust innately because Microsoft made it: (i) it's microsoft; (ii) my heart says there's a back door there.

    I tried out PGP Desktop full disk at my work computer. It seems OK.

    What do you guys use? recommend?

    Price isn't an issue here because it is for my work system and we have an indefinite budget for this sort of stuff.

    Could you give me some explanations about the different packages?

    Also, most of these solutions don't offer plausible deniability, do they? What do you think the importance of this feature is?

    Thanks for your opinions :-)

  2. #2
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    One word

    Truecrypt ! It’s free.. It’s amazing and it works super ! Its software based though.. Isn't very flexible if you're going to deploy to non-technical users..

    Only hardware based Full disk encryption platform I’ve used is

    http://wave.com/products/tdm.asp - Trusted Drive Manager



    Here's a list that might help (not very Comprehensive though)..

    http://en.wikipedia.org/wiki/Compari...ption_software


    I would definitely suggest going for hardware based solution that integrates into a fingerprint scanner or other form of biometric authentication hardware.. Also you might want to get hardware that is FIPS certified if your environment demands so..
    Last edited by ByTeWrangler; April 29th, 2009 at 05:55 PM.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  3. #3
    Junior Member
    Join Date
    Dec 2002
    Posts
    23
    We currently use Checkpoint's Pointsec product. I have mixed feelings about Pointsec. I think it is all around a great product, but a little difficult to manage. It works on quite a few different OS platforms. Support isn't the best. However, you can implement their full security suite to provide OS control and removable drive encryption as well as Blackberry encryption I believe.

    Another company I looked into that did not meet our two factor pre-boot requirements, is Credant (http://www.credant.com/). I was really impressed with them, and wished we could have taken a better look into thier product(s).

    This is just my experience with a few products, but I think your decision will vary according to what your security policy, and environment looks like. Remeber that free is good, but when your encrypting someones data, it sure pays to have support when something goes wrong.

  4. #4
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  5. #5
    Member
    Join Date
    Aug 2005
    Posts
    98

    Safeguard Vs Pointsec

    I have used pointsec and safeguard easy in previous roles(as they are the ones approved for Govt use within Australia).

    Pointsec was better as it allowed for more centralised management of Pointsec configuration and users. The version of Safeguard we were using did not provide centralised management, so anytime there was an issue an admin had to physically touch each laptop/desktop. This may have changed with later safeguard releases though (we were limited to using the Australian government approved version).

    http://www.checkpoint.com/pointsec/
    http://www.utimaco.com/C125748F00374.../INTERN_HomeEN

  6. #6
    Junior Member
    Join Date
    Jun 2009
    Posts
    1
    I work at a large law firm and tested Checkpoint/Pointsec, Mcafee/Safeboot, Utimaco, and Credant. Like T3Gilligan my exec management had some pre-conceived/old school notions about needing pre-boot to be secure. But a colleague of mine at another firm whom went with Credant told me to take take a look. And again like T3Gilligan I was very impressed with Credant and ended up going with them. Pre-boot is absolutely not necessary from a security perspective and is a large reason why it's almost completely unmanageable. on the 2nd day of testing I found out something real interesting. the ONLY way pre-boot is secure is if the laptop is completely shutdown when it's lost or stolen. I put one of the pre-boot laptops (won't say which one) into standby which is what happens when you close the window but don't shut down (which everybody does. nobody shuts down their laptops anymore). when I brought it out of standby I ran a simple attack against it (basically a tool that creates a new local account), logged in and all the data was mine. problem with pre-boot is that, at the windows prompt the encryption key is available in memory so any login gives you full access to the data. with credant the keys are locked at windows prompt so there is no breach point. I honestly cannot prove that a laptop is completely shut off when it's stolen so the pre-boot solutions were all aced out. separation of data (local admin vs. domain user), reporting, ease of use and no change to my desktop and opps processes were some of the other reasons. very happy so far.

    Rich

  7. #7
    Senior Member
    Join Date
    Aug 2001
    Location
    Calgary, AB Canada
    Posts
    140
    Corporate mandated that we use Utimaco for all of our laptops.

    It's not too bad, but it was a little buggy when we first started with it. You also have to make sure there are absolutely NO errors with the drive, and you need a bunch of contiguous space.

    The POA (Power on Authentication) concept is neat; however, as Rich says, not completely secure. The other issue with POA is caching the domain password.

    Lets say we log in as the local administrator and run the encryption. We then have to log off, then get the user to come upstairs and log in with their domain username / password. Then we have to right click the little icon and tell Utimaco to sync up with the central server managed by corporate. This caches the username / password in Utimaco.

    IF we skipped that step and rebooted, then handed the laptop back to the user, they would not be able to login as their credentials would not be cached for the POA.


    Now, once we figured that out, there is the training issue. Let's say the user has a laptop that was left at home for a couple months. Since then, they've changed their domain password a coupe of times. Now they power on their laptop and POA pops up. I'd say 9/10 users (even after we TOLD them about this) tried using their current username/password, thinking that the laptop magically syncs with the domain when it's turned off. Next thing you know, they're locked out.

    We pick up the phone, call our eastern support desk, have to give them this long key challenge key, and they read an even longer challenge response key back to us. Needless to say, it's frustrating.


    Unfortunately, we never got a chance to try out other vendors. I'm not sure how Utimaco stacks up against them.



    Dave
    Alcohol & calculus don't mix. Never drink & derive.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. An Introduction to Cryptography, and Common Electronic Cryptosystems – Part I
    By 576869746568617 in forum Cryptography, Steganography, etc.
    Replies: 1
    Last Post: July 10th, 2006, 11:38 PM
  3. The history of the Mac line of Operating systems
    By gore in forum Operating Systems
    Replies: 3
    Last Post: March 7th, 2004, 08:02 AM
  4. Tcp/ip
    By gore in forum Newbie Security Questions
    Replies: 11
    Last Post: December 29th, 2003, 08:01 AM
  5. Win Emergency boot disks
    By xmaddness in forum Other Tutorials Forum
    Replies: 9
    Last Post: May 29th, 2002, 03:31 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •