Drive Workstation Encryption

DriveWorkstationEncryption

From MissionTechWiki

The information on this page is deliberately non-specific. Do not discuss particular implementations. It is fine to compare products etc.

Contents

Description of Drive and Workstation Encryption

A part of Security Privacy Tools. To ensure that data is not accesible in the case that a workstation is stolen or otherwise compromised it is possible to encrypt data on the disk drives. This extends from encrypting a directory/folder to encrypting the whole drive or filesystem. Encrypting the whole dirve/filesystem reduces the possibility that a cleartext (unencrypted) copy of the data exists somewhere on the disk (such as in temporary areas etc).

How is Drive and Workstation Encryption used in Missions?

IIn situations where there is a serious risk of data being compromised by some means, and that comprise impacting on the lives of people then drive encryption is almost mandatory. Of course, there are always other means of obtaining the information that have nothing to do with computers.

Issues with Drive and Workstation Encryption

  • Cost
  • Complexity
  • Backup - If you are encrypting the data on you drive you probably want to do EncryptedBackups.

Different implementations and solutions using Drive and Workstation Encryption

Vijay Sarvepalli provided the following research:

Factors involved in encryption:

  • Key strength
  • algorithm used
  • containers vs. entire filesystems
  • two tier authentication options
  • key management
  • key recovery
  • ease of use

Products

PGP

NOTES: PKI encryption. Key management is standard. Can be applied to the whole drive and transparently. PGPDisk

Compsec

NOTES: Designed to secure the workstation specifically. It replaces the MBR1 so when first booted, user must enter the passphrase. I was unable to tell if it works on a second disk attached on the fly using USB. It supported secondary authentication. [1]

Cryptainer LE (and variants)

NOTES: Creates containers for encryption. Size is limited by version, but the largest was only a few hundred megabytes. Seemed easy to use. [2]

BestCrypt

NOTES: Many good features and well tested. Operates on containers. Hard to fully assess based on available documentation. [3] [4] NOTES: buy a disk... and ready to go?

Some other reviews and comparisons:[5] [6] [7]

Drive Crypt:

Best way to ensure whole hard drive temporary files and everything is encrypted with tiered encryption and multiple encryption algorithms..

DriveCrypt uses a large variety of encryption algorithms (including AES which is arguably the strongest) and allows the user to select the key strength up to an incredibly high bit value (1344). The program supported encrypting the entire drive as well as containers. It is also possible to include multiple tiered authentication by adding a USB key or other device that would be required in addition to the password if the user chose to set this up.

Key management seems to be thoroughly addressed with key recovery mechanisms as well as procedures to adequately control key changes and data changes. Unfortunately I was unable to find documentation online discussing how keys were managed specifically.

The software also seems easy to use once installed. Setup will require some planning, but did not appear to be overly burdensome.

Disks with enryption built in

http://www.schneier.com/blog/archives/2005/06/seagates_full_d.html

Vista

Vista includes disk encryption in some versions. It is called BitBlocker.

There are other tools which provide encryption of entire disk for Vista. These are in no particular order and may or may not be of use

  • CE-Infosys' free CompuSec combined with their GlobalAdmin too
  • Utimaco (SafeGuard Easy for pre-Vista; SafeGuard Enterprise)
  • CE-Infosys CompuSec
  • Control-Break SafeBoot Device Encryption
  • PointSec for PC
  • WinMagic SecureDoc

Quote from gp

the computer industry has more or less collectively decided that full-disk encryption is an enterprise-grade application. The assumption is that machines regularly touch a LAN, and have support from professional IT.
In specific implementations, it seems that these assumptions also imply

server connectivity to varying degrees, as PB has noted. In particular, most seem to want directory services coming from a server, for the purposes of passphrase recovery. I don't remember which ones are doing which, but some packages explicitly want connections to Active Directory, others may be able to integrate with other directory \services, such as Novell NDS or LDAP.

Thus, among other things, most full-disk encryption packages (when they come available) are indicating that they will require versions of Vista

that support Active Directory (and Windows Domains), namely Business, Enterprise and Ultimate. Even for BitLocker, it looks like the only provision for password recovery is via integration with Active Directory. Thus, for a stand-alone user with Vista Ultimate that runs BitLocker, in the event of a lost or forgotten password, there appears to be no capacity for recovery.

BW Says

we’ve made using Bitlocker (Vista’s built in disk encryption) mandatory on all new laptops starting this past summer. For new machines with a TPM chip on the motherboard, the experience is completely seamless to the end user – they don’t even really know that the encryption is in place on the machine. For older machines without a TPM, you have to plug a USB memory stick with the decryption key before powering the machine on. (The key can be removed once the OS has started to boot).
During the wizard to encrypt the HD, you will be given a chance to make a copy of the key either on a USB stick, printing it on paper, or saving in Active Directory (requires a schema upgrade for Windows 2003 or upgrading to Windows 2008 domain controllers. We haven’t tested this kind of key recovery yet for those reasons so I can’t really say how well it works).

 

If you want additional security beyond what the TPM provides, you can also require a PIN or USB key to unlock the drive. To enable those options, you’ll need to make some changes in the Group Policy or via Local Policy (for non-domain machines) before you start the encryption wizard.
I have two big complaints about Bitlocker. First is that it requires a second unencrypted partition for the boot loader to live on. The boot loader is only a few MB in size, but Bitlocker requires that volume to be a minimum of 1500MB wasting over a gigabyte of space on your HD. My second complaint is that Bitlocker is not part of the “Business” SKU but only in “Enterprise” (available only with Software Assurance) or “Ultimate.” For a new computer, this means having it come with Ultimate pre-installed (about a $75 upgrade on Dell’s configuration wizard versus the $130 to purchase the upgrade at Best Buy or whatever) Alternately, have the computer pre-installed with Business from the factory. Then you purchase just Software Assurance (and not the full upgrade license) from whomever you buy MS licenses from with-in 30 days of purchasing the new computer. On the charity license price list it should be about $35/machine. You then re-install the machine using the Vista Enterprise DVD and the new license key.
It hasn’t been an issue for us, but the current version of Bitlocker only allows one partition to be encrypted. I’ve heard that when SP1 is released, it will remove this restriction.
To get the Vista Enterprise edition DVD you could order a media kit with the Software Assurance order or you can download an ISO of the DVD from Microsoft’s eOpen licensing portal. That’s the same web site that you get your license keys from once the order is processed. At least that’s how it works for me using Charity Open Licensing. If you’ve got the bandwidth (2GB for the 32-bit version) and a DVD burner, I’d go for the download option and save the $25 cost for the media.
One other thing I should have mentioned. If you use Ultimate edition, it includes an applet (after you install the “Ultimate Extras” using Windows Update) that will automatically create the second unencrypted boot partition for you without needing to reformate the HD. If you use Enterprise, you don’t get that applet. But since you’ll be installing fresh from the DVD anyways, follow the directions in this TechNet article to appropriately partition the HD during install. http://technet2.microsoft.com/WindowsVista/en/library/c61f2a12-8ae6-4957-b031-97b4d762cf311033.mspx?mfr=true
Lastly, I’ve noticed that our Dell Latitudes all come with the TPM turned off in the BIOS so you’ll need to manually enable before Windows will see it. Same is true for a couple of Fujitsus that I’ve set up. You should see the TPM in the Device Manager once it is enabled correctly.

Other links

Other Information Resources:

http://www.thefreecountry.com/security/encryption.shtml
     http://www.infoseccorp.com/products/secretagent/contents.htm
     http://www.filesland.com/software/privacy-31.html

Original page: http://www.missiontech.info/wiki/DriveWorkstationEncryption

from the MissionTech Wiki created by the International Conference on Computers and Missions

Faith (for Content):