When to encrypt

Silentsoul · July 2008

I will be starting my new job on Thursday, I will be getting a desktop and a laptop. The director has told me to do with them as I see fit as far as setup and what not. Since it is only me and the director and I will be in charge of repairing and running the network and system I will have a lot of confidential information so here is my question. In the world of all these lost laptops and information, should I take these work computers and use some sort of third party software to encrypt all or an area of the drive to ensure files stored on it are safe and confidential. Seems since I will be starting from scratch and with nothing on the computers this would be a good time to try it out. Thanks for your input.

astorrs · July 2008

What O/S? If its Vista, use BitLocker.

Silentsoul · July 2008

they will be xp pro

LarryDaMan · July 2008

SecureDoc is good too.

Silentsoul · July 2008

Do you guys think it is a good idea to encrypt the drives on these new computers, or should I just not worry about it?

RTmarc · July 2008

PointSec is one of the best out there. If money is an issue, look at TrueCrypt (free - opensource). My thoughts on the subject is encrypt anything that leaves your corporate office; even things that don't can be encrypted. You would be surprised what information can be gleaned from a machine that you think has nothing confidential stored on it.

Full disk encryption is the only way to go.

shednik · July 2008

RTmarc wrote:

Full disk encryption is the only way to go.

+1...I was reading a blog post Network Security Blog, the article he cited stated "close to 10,278 laptops are reported lost every week." Full disk encryption is the way to go!

dynamik · July 2008

shednik wrote:

RTmarc wrote:

Full disk encryption is the only way to go.

+1...I was reading a blog post Network Security Blog, the article he cited stated "close to 10,278 laptops are reported lost every week." Full disk encryption is the way to go!

Yea, that number is ridiculous.

+1 for True Crypt.

Ahriakin · July 2008

Truecrypt is superb, you can easily encrypt and then decrypt the drive when you are using it, no data loss either way so give it a try and if you don't like it just decrypt the drive. I'd definitely encrypt the Laptop(s), Desktops preferably but you do have more physical security (presumably) to mitigate risk so it's your call based on the chance of theft vs. the confidentiality of the data they house.

JDMurray · July 2008

I secured my workstation (Vista Ultimate, 32-bit) with TrueCrypt 6.0a with full system disk encryption. When the computer boots, you must enter a pre-boot password or it will not boot. If you loose the password or the rescue disk, you are screwed. There may be a utility that will try to brute-forcing a TrueCrypted pre-boot password, but it would be quicker just guessing and hope that you remember.

I must say that, in reflection, disk encryption isn't necessary for a computer unless it (or its hard disks) will be leaving a secured area. Obviously, it's a must for laptops, but not for desktops, unless there is a danger of the computer being carried off. If you need to encrypt information in a folder or partition, you can use TrueCrypt, but Windows EFS or BitLocker would be more convenient.

Another problem with full disk encryption is that it's not possible to enter the pre-boot password remotely. If you work remotely over a VPN and install software or a Windows update that reboots your computer, you are screwed unless someone physically at the computer can enter the pre-boot password for you. THis is really a problem with unattended servers that are set to reboot when they auto-update or blue-screen.

I decrypted my system disk and it's all back to normal. I'll save the system disk encryption for laptops and just use encrypted volumes on my workstation.

Ahriakin · July 2008

Technically though you need to lose the Password AND the Rescue Disk to be hosed, the rescue is there as an emergency decrypter even if you have changed your password since the initial install. Which also you means you really need to secure them too.
Encrypting a server would be pretty extreme to me, I can see why ultra secret stuff might need it but for the average business if your physical security is lax enough for the server to be taken anyway you're screwed well beyond worrying about encryption at all imho. Still I guess it's all about how far you want to go.

Talic · July 2008

Is there any performance penalties with full disk encryption? If not, then I'll just do it with my T61 for the heck of it :P

Is it dual-boot friendly too? I always dual boot Linux and Vista 32 on my laptop.

RTmarc · July 2008

Talic wrote:

Is there any performance penalties with full disk encryption? If not, then I'll just do it with my T61 for the heck of it :P

Is it dual-boot friendly too? I always dual boot Linux and Vista 32 on my laptop.

PointSec told me that with their product there is, at most, a 2-3% reduction in performance and most times no one even recognizes it.

TrueCrypt has an option that allows for dual booting. I've never used it so I can't speak to it being friendly or not but the option is there.

JDMurray · July 2008

Talic wrote:

Is there any performance penalties with full disk encryption? If not, then I'll just do it with my T61 for the heck of it :P

I have heard independent reports that TrueCrypt's disk drivers are actually faster than Microsoft's disk drivers, so there is actually a measurable disk performance increase after TrueCrypt is installed. This increase is probably not noticeable by human users, but the benchmarking programs show that it's there.

When to encrypt

Comments