-
April 29th, 2009, 01:09 PM
#1
Junior Member
Best whole disk encryption setup
Hello everyone,
I need a full disk encryption system.
Windows Vista BitLocker I don't trust innately because Microsoft made it: (i) it's microsoft; (ii) my heart says there's a back door there.
I tried out PGP Desktop full disk at my work computer. It seems OK.
What do you guys use? recommend?
Price isn't an issue here because it is for my work system and we have an indefinite budget for this sort of stuff.
Could you give me some explanations about the different packages?
Also, most of these solutions don't offer plausible deniability, do they? What do you think the importance of this feature is?
Thanks for your opinions :-)
-
April 29th, 2009, 04:46 PM
#2
One word
Truecrypt ! It’s free.. It’s amazing and it works super ! Its software based though.. Isn't very flexible if you're going to deploy to non-technical users..
Only hardware based Full disk encryption platform I’ve used is
http://wave.com/products/tdm.asp - Trusted Drive Manager
Here's a list that might help (not very Comprehensive though)..
http://en.wikipedia.org/wiki/Compari...ption_software
I would definitely suggest going for hardware based solution that integrates into a fingerprint scanner or other form of biometric authentication hardware.. Also you might want to get hardware that is FIPS certified if your environment demands so..
Last edited by ByTeWrangler; April 29th, 2009 at 04:55 PM.
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 8th, 2009, 04:43 PM
#3
Junior Member
We currently use Checkpoint's Pointsec product. I have mixed feelings about Pointsec. I think it is all around a great product, but a little difficult to manage. It works on quite a few different OS platforms. Support isn't the best. However, you can implement their full security suite to provide OS control and removable drive encryption as well as Blackberry encryption I believe.
Another company I looked into that did not meet our two factor pre-boot requirements, is Credant (http://www.credant.com/). I was really impressed with them, and wished we could have taken a better look into thier product(s).
This is just my experience with a few products, but I think your decision will vary according to what your security policy, and environment looks like. Remeber that free is good, but when your encrypting someones data, it sure pays to have support when something goes wrong.
-
May 10th, 2009, 06:56 PM
#4
Parth Maniar,
CISSP, CISM, CISA, SSCP
*Thank you GOD*
Greater the Difficulty, SWEETER the Victory.
Believe in yourself.
-
May 13th, 2009, 01:13 AM
#5
Safeguard Vs Pointsec
I have used pointsec and safeguard easy in previous roles(as they are the ones approved for Govt use within Australia).
Pointsec was better as it allowed for more centralised management of Pointsec configuration and users. The version of Safeguard we were using did not provide centralised management, so anytime there was an issue an admin had to physically touch each laptop/desktop. This may have changed with later safeguard releases though (we were limited to using the Australian government approved version).
http://www.checkpoint.com/pointsec/
http://www.utimaco.com/C125748F00374.../INTERN_HomeEN
-
June 7th, 2009, 07:40 PM
#6
Junior Member
I work at a large law firm and tested Checkpoint/Pointsec, Mcafee/Safeboot, Utimaco, and Credant. Like T3Gilligan my exec management had some pre-conceived/old school notions about needing pre-boot to be secure. But a colleague of mine at another firm whom went with Credant told me to take take a look. And again like T3Gilligan I was very impressed with Credant and ended up going with them. Pre-boot is absolutely not necessary from a security perspective and is a large reason why it's almost completely unmanageable. on the 2nd day of testing I found out something real interesting. the ONLY way pre-boot is secure is if the laptop is completely shutdown when it's lost or stolen. I put one of the pre-boot laptops (won't say which one) into standby which is what happens when you close the window but don't shut down (which everybody does. nobody shuts down their laptops anymore). when I brought it out of standby I ran a simple attack against it (basically a tool that creates a new local account), logged in and all the data was mine. problem with pre-boot is that, at the windows prompt the encryption key is available in memory so any login gives you full access to the data. with credant the keys are locked at windows prompt so there is no breach point. I honestly cannot prove that a laptop is completely shut off when it's stolen so the pre-boot solutions were all aced out. separation of data (local admin vs. domain user), reporting, ease of use and no change to my desktop and opps processes were some of the other reasons. very happy so far.
Rich
-
June 11th, 2009, 09:08 PM
#7
Corporate mandated that we use Utimaco for all of our laptops.
It's not too bad, but it was a little buggy when we first started with it. You also have to make sure there are absolutely NO errors with the drive, and you need a bunch of contiguous space.
The POA (Power on Authentication) concept is neat; however, as Rich says, not completely secure. The other issue with POA is caching the domain password.
Lets say we log in as the local administrator and run the encryption. We then have to log off, then get the user to come upstairs and log in with their domain username / password. Then we have to right click the little icon and tell Utimaco to sync up with the central server managed by corporate. This caches the username / password in Utimaco.
IF we skipped that step and rebooted, then handed the laptop back to the user, they would not be able to login as their credentials would not be cached for the POA.
Now, once we figured that out, there is the training issue. Let's say the user has a laptop that was left at home for a couple months. Since then, they've changed their domain password a coupe of times. Now they power on their laptop and POA pops up. I'd say 9/10 users (even after we TOLD them about this) tried using their current username/password, thinking that the laptop magically syncs with the domain when it's turned off. Next thing you know, they're locked out.
We pick up the phone, call our eastern support desk, have to give them this long key challenge key, and they read an even longer challenge response key back to us. Needless to say, it's frustrating.
Unfortunately, we never got a chance to try out other vendors. I'm not sure how Utimaco stacks up against them.
Dave
Alcohol & calculus don't mix. Never drink & derive.
Similar Threads
-
By cheyenne1212 in forum Miscellaneous Security Discussions
Replies: 7
Last Post: February 1st, 2012, 02:51 PM
-
By 576869746568617 in forum Cryptography, Steganography, etc.
Replies: 1
Last Post: July 10th, 2006, 10:38 PM
-
By gore in forum Operating Systems
Replies: 3
Last Post: March 7th, 2004, 08:02 AM
-
By gore in forum Newbie Security Questions
Replies: 11
Last Post: December 29th, 2003, 08:01 AM
-
By xmaddness in forum Other Tutorials Forum
Replies: 9
Last Post: May 29th, 2002, 02:31 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|