Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Full disk encryption with hardware token

jawtheshark (198669) writes | more than 2 years ago

Encryption 4

I've been tasked to look into full disk encryption for the company I work for. We're talking just five laptops running Windows XP or Windows 7 that will need it. The other branches are going with TrueCrypt and I do have experience with TrueCrypt. It works fine, but only requires a password. I investigated it and I thought I could "emulate" a two-factor authentication by having a password plus providing a USB stick with a keyfile. Turns out that this is not possible with Truecrypt and ful

I've been tasked to look into full disk encryption for the company I work for. We're talking just five laptops running Windows XP or Windows 7 that will need it. The other branches are going with TrueCrypt and I do have experience with TrueCrypt. It works fine, but only requires a password. I investigated it and I thought I could "emulate" a two-factor authentication by having a password plus providing a USB stick with a keyfile. Turns out that this is not possible with Truecrypt and full disk encryption.

I did Google around a bit, but I have no real comprehensive overview of "good" products. So, I ask the crowd here: what full disk encryption with two factor authentication do you use. Are you satisfied with it? Pitfalls to avoid.

cancel ×

4 comments

Sorry! There are no comments related to the filter you selected.

I'd love to know what you decide (1)

stoolpigeon (454276) | more than 2 years ago | (#39780393)

I use truecrypt now on my windows machines and whatever is baked into Fedora on my linux machines. Having two-factor authentication would be really nice on my travel laptop which is running win7. Though it would need to be something I wouldn't lose.

Re:I'd love to know what you decide (1)

jawtheshark (198669) | more than 2 years ago | (#39780631)

The journal was submitted as a story, because I thought it would be of general interest. Give it a push if you like.

Lots more options than I thought (1)

Qzukk (229616) | more than 2 years ago | (#39780799)

According to Wikipedia [wikipedia.org] , one of the options for bitlocker is to work with TPM's pin plus a USB Key. Doesn't help your WinXP systems much, though.

Wikipedia says there are a lot more options than I thought [wikipedia.org] , but their table layouts are terrible and doesn't actually mention supported versions of windows so you'd have to go one table and figure out which one has the features you want ("full disk encryption" isn't specifically named, but I'd assume that pre-boot authentication is a pre-requisite at least) then look at each one to see if XP is actually supported. I found one that should work ( http://www.jetico.com/encryption-bestcrypt-volume-encryption/ [jetico.com] ) before I decided that looking at all of them would take more time than I'm willing to work for free ;)

I would have thought that using an encrypted keyfile would be pretty standard. With a long enough command line I could specify a keyfile for cryptsetup, and the keys in the keyfile are themselves encrypted with my passphrase. My guess is that for the most part trying to cram USB and fat/ntfs filesystem and file browsing support into the bootsector along with your crypt routines is Hard. Bestcrypt's page suggests that it reserves some extra space that it doesn't encrypt probably to give itself space to store a second stage.

Re:Lots more options than I thought (1)

jawtheshark (198669) | more than 2 years ago | (#39780917)

Interesting... Thanks for all the information! I'm pretty surprised these is that much software doing this.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>