[SATLUG] Drive Encryption
Sean Carolan
scarolan at gmail.com
Fri May 25 11:32:29 CDT 2007
> I am mainly concerned with our
> mobile population. Is it more logical to use whole drive encryption or to
> use the containers to hold sensitive data on the laptops? If a laptop is
> lost or stolen, and someone with EnCase or any other forensic tools gets a
> hold of that laptop, can they pull the sensitive data from the laptop?
For your Windows-using laptop users, full disk encryption (FDE) with
2-factor authentication (eg, password-protected smartcard or USB stick
with key on it) is probably the best you can get but can be expensive.
If you haven't got the budget for that you could consider using
Truecrypt and tcgina to encrypt entire user profiles. I believe there
is a plugin that encrypts the swap as well. A password-protected
bios, and truecrypt to ensure at-rest encryption of the laptop data
would probably be effective.
If such a laptop were stolen by someone who happened to have a copy of
EnCase, they'd be hard-pressed to brute force a 256 bit AES encrypted
volume. You'd need to make sure your users and applications do not
store any sensitive files OUTSIDE the encrypted home directory though
or all bets are off.
Hardware-based FDE is the safest for laptops. I wish it were more
widely available for consumers today. I had to hack up my Ubuntu
installation a bit to get my home directory encrypted. This stuff
ought to be included out-of-the-box as an option you check during
installation.
Yet another reason I like OS X, it allows you to do exactly this,
encrypt your entire home directory just by checking a box in the
preferences . . .
More information about the SATLUG
mailing list