Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Whole Disk Encryption For Vista?

timothy posted more than 6 years ago | from the just-wait-for-it dept.

Encryption 125

Q7U writes "After reading about several laptop thefts and losses, my boss wants me to set up whole disk encryption for her Vista travel laptop. After doing some research, it seems she has three options: Bitlocker (part of Vista Ultimate), PGP Whole Disk Encryption, and TrueCrypt. My main problem now is choosing one. I can't find any comparitive reviews of these products to determine which will be the best choice, so I was hoping the Slashdot crowd could suggest which product they would go with and tell us what they liked about their choice."

Sorry! There are no comments related to the filter you selected.


Anonymous Coward | more than 6 years ago | (#24502783)

.| |
a goatse desktop them helps prevent laptop theft []

No Comparisons? (5, Insightful)

toleraen (831634) | more than 6 years ago | (#24502815)

You could always, you know, type it into Google. []

Re:No Comparisons? (0)

Anonymous Coward | more than 6 years ago | (#24503055)

Yeah, you'd think that Jeffrey Flowers would know how to use Google. Sheesh!

Those comparisons are old. (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24503887)

Those comparisons all seem to be old.

There is only one answer: TrueCrypt [] . Note that version 6.0a is much more powerful than earlier versions.

Commercial software cannot be trusted with something so important, for two reasons:

U.S. government surveillance: All of the U.S. government's many secret departments believe that they can order executives of companies that do business in the U.S. to a) provide any help they want so that they can accomplish surveillance, and b) put the executives in prison if they reveal the corruption. So, any software that has ever been under U.S. control, or has been corrupted by the U.S. government, cannot be trusted.

Often employees of U.S. government secret departments take jobs in commercial companies, and pretend to be normal employees, while serving illegal purposes of the secret departments. So even companies in other countries cannot be trusted.

Please check this carefully if you doubt it. The U.S. government uses what is called signing statements [] , which at present basically mean that a U.S. president can authorize breaking any law, merely by signing his name. That corrupt system has been used to challenge hundreds of laws [] .

Closed source software cannot be trusted until the secret employees of the U.S. government are tried for treason, and an open government is established. It does not seem that will happen soon.

The Bush and Cheney families and friends and associates are oil and weapons investors, and they use secret surveillance as a way getting what they want, no matter how illegal. For example, the U.S. government is already fighting a war with Iran [] . There is talk of "diplomacy", but that is only to limit awareness of what the corrupters are doing. There are three groups of people who want war with Iran: weapons investors, oil investors, and Jews. The situation is the same as before invading Iraq. There was talk of diplomacy, but the leaders in Iraq knew that the U.S. government would invade, no matter what was said, so they acted in a hysterical fashion.

The purpose of invading Iran seems to be the same as the purpose of invading Iraq: to restrict the supply of oil even further, so that oil prices will rise even further. Weapons investors want continuous war, and an invasion of Iran would almost certainly cause that.

Changes in company management: A trustworthy company may be sold to another, less well-managed company. The less well-managed company may outsource some changes, or hire an employee that is not trustworthy. One of the changes can be the inclusion of a back door, or some other corruption. That's only one example. There are many other ways that there can be such problems with closed-source software.

Re:Those comparisons are old. (1)

ozphx (1061292) | more than 6 years ago | (#24507173)


You sir, are an ass.

Door is to your left, GTFO.

Re:Those comparisons are old. (1)

mitgib (1156957) | more than 6 years ago | (#24510797)

While this is tinfoil hat paranoia in the extreme, there is some basis for taking a little heed to it's direction. And that said, I'd like to hear the options that probably cannot be circumvented by various government entities and the worst case is you are handing them a brick.

Re:No Comparisons? (5, Funny)

aztektum (170569) | more than 6 years ago | (#24504347)

The first hit from your link is this /. story, upon which the first comment is yours. I just spent the last hour going in circles!

Re:No Comparisons? (1)

toleraen (831634) | more than 6 years ago | (#24505173)

Well, was that hour really any worse than reading through this Ask/.? No need to thank me, I'm just here to help!

Re:No Comparisons? (2, Funny)

Pseudonym (62607) | more than 6 years ago | (#24505387)

Serves you right for feeling lucky.

Re:No Comparisons? (1)

felipekk (1007591) | more than 6 years ago | (#24505079)

But then he wouldn't have an excuse to browse through /. the whole week...

Re:No Comparisons? (2, Informative)

bozojoe (102606) | more than 6 years ago | (#24506731)

Re:No Comparisons? (2, Insightful)

petermgreen (876956) | more than 6 years ago | (#24508407)

wikipedia prefers "verifiability" over truth so I would be very suspicious of any comparison articles of thiers.

Fourth option (4, Informative)

mvdwege (243851) | more than 6 years ago | (#24502819)

There's a fourth option: SafeBoot. I recently got the basic Administrator training for the product, and it is very nice. Integrates well with enterprise directory services like AD and LDAP, for central deployment of configs, uses decent well-documented standard crypto algorithms and key exchange protocols, and is very transparent in use. All that you see of the encryption is a password entry on boot, everything else is completely transparent.


Re:Fourth option (5, Informative)

Nos. (179609) | more than 6 years ago | (#24503369)

We went with Safeboot also, but given the submitter's description, I wouldn't recommend it. Safeboot is nice for an enterprise type rollout, not for one laptop. You really don't want to support the backend infrastructure for one machine.

Go with TrueCrypt or BitLocker for a one-off.

Re:Fourth option (3, Informative)

Vancorps (746090) | more than 6 years ago | (#24503517)

There is also VMWare's ACE which gives you all sorts of options. Additionally there are Virtual desktop scenarios which means that all your work data is done in the VM where everything is encrypted. That leaves the host OS for guests to use. If the laptop is stolen then the user only loses the work that they did between the time they were last plugged into the network, VPN connectivity even counts.

HP and Lenovo both have whole disk encryption options that work at the enterprise level. My primary experience is with HP which allows me to keep a backup key on a couple of USB thumb drives which can be stored in separate locations. Truecrypt as this same ability and both options are transparent to the OS for the most part.

Re:Option 4b (1)

kenif (1263482) | more than 6 years ago | (#24510711)

And that means she could run VMWare on a Mac, which is only a grillion times more secure for starters. Plus, it's sexier, and accessorizing is everything... Running VMOSX on a screaming AMD and VMXP on a Mac.

Re:Option 4b (1)

Vancorps (746090) | more than 6 years ago | (#24510845)

VMWare in an ACE environment is just as secure on Windows as it is on any client down to Windows CE or SUSE Enterprise Desktop, that's the beauty of it. Run whatever you want on whatever base OS you want. The security is the same as you still have your AES or blowfish or whatever encryption method of choice protecting the VM image.

All you need after that is two factor authentication and you're pretty damned secure and you dont have to worry about the host OS as much regardless of your platform of choice.

Re:Fourth option (0)

Anonymous Coward | more than 6 years ago | (#24513859)

I have to disagree about SafeBoot. Most of the options are set on a per-user basis and the service for syncing periodically crashes which can cause all sorts of haovic (primarily passwords getting changed back to older passwords). Plus the default password for new accounts is 12345, so you have a real weakness in the system between the time you add a user and that user changes their password (or in our case the administrator does it for them the first time to avoid the problem).

Why whole disk? (1)

arizwebfoot (1228544) | more than 6 years ago | (#24502831)

Just truecrypt the saved data.

Re:Why whole disk? (4, Informative)

dlcarrol (712729) | more than 6 years ago | (#24502877)

Hibernation would leave stuff that is in memory open to inspection.

Re:Why whole disk? (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24506787)

Yes, totally true except that on Vista the hibernation file is on the root disk drive and automatically encrypted under bitlocker... Hibernate's not a problem for Windows + Bitlocker.

Just because you read some exploit again some disk encryption software on Slashdot months back doesn't make it true for all encryption software. You should check these things before you post crap.

I wish /. mods with goldfish memories and a vendetta against Microsoft would stop modding things like this up.

*awaits his -1 troll, the same -1 troll he gets 99% of the time he corrects people with "facts".*

Re:Why whole disk? (3, Insightful)

Anonymous Coward | more than 6 years ago | (#24506973)

Wow, it amazes me that people are so quick to be dicks to each other. What the fuck is wrong with the world? Couldn't you have said the same thing but without the venom? Oh yeah, fuck you.

Re:Why whole disk? (0)

snowraver1 (1052510) | more than 6 years ago | (#24502907)

Or, you know tell her that she should not be storing ANY data on her computer. ALL data is to be saved to the network shares for backup control and security. If she needs to access something on the road, use VPN.

Re:Why whole disk? (2, Insightful)

compro01 (777531) | more than 6 years ago | (#24503061)

Which assumes she has access to an adequately fast connection. 14.4k dial up + multi-meg files = not getting anything done.

Re:Why whole disk? (1)

shaitand (626655) | more than 6 years ago | (#24503169)

14.4k? At least use an example that someone has used this decade. 56k dial-up is extreme enough for an example of a slow connection.

Re:Why whole disk? (3, Informative)

compro01 (777531) | more than 6 years ago | (#24503283)

In the last decade? Try in the last week. I regularly deal with people with that kind of connection (often CDPD with a high-gain antenna). Far north conservation officers, for example.

Re:Why whole disk? (0)

Anonymous Coward | more than 6 years ago | (#24503771)

Yep, my folks are stuck at 28.8 or slower on dial-up in the good 'ol US of A

Re:Why whole disk? (2, Interesting)

shaitand (626655) | more than 6 years ago | (#24508887)

Thats very depressing my friend, very depressing. How could it possibly make more sense to work around the limitations of 14.4k than to use a sat link?

Re:Why whole disk? (2, Informative)

compro01 (777531) | more than 6 years ago | (#24509107)

Satellite doesn't work too well when you're got a hill or a forest blocking the view.

Re:Why whole disk? (2, Interesting)

petermgreen (876956) | more than 6 years ago | (#24508445)

There really are folks stuck on connections that slow or even slower.

Conventional GSM dialup for example is only 9.6kbps. Sure there is HSCSD and GRPS but I don't think they are universally supported.

and I don't think I've ever seen a 56K dialup connection. In my experiance called 56K modems connect at fourty something at best and on crappy lines much much slower.

And of course there are people stuck with no connection (or no affordable connection) at all.

Re:Why whole disk? (1)

shaitand (626655) | more than 6 years ago | (#24509015)

The fact that you can get a connection that is that slow is no reason to use it. I feel bad enough for my customers that I have to convince to finally get rid of 56k.

If you are in the last mile there is a broadband option for you, it sucks, but its a hell of alot better than dial-up. There are a couple companies that will offer you a connection via small dish sat link and AFAIK you should be able to get coverage pretty much anywhere in the US.

As for the rest of the world, well for all intents and purposes they don't exist anyway. This is a US forum.

Re:Why whole disk? (2, Informative)

slaker (53818) | more than 6 years ago | (#24511595)

There are small towns all over the US for which there is nothing but dialup available, sir. Hell, there are small towns where cable TV isn't even available. I realize this may be news to you, but not everybody lives in urban or suburban areas.

My uncle is director of Public Health for a county in Illinois. The *only reason* which the BFE Small Town near where he lives has even partial DSL access is that his status as a Homeland Security First-Responder was enough to get Verizon off its ass and build a LEC just for him (he is legally required to have "fast" internet service at his home, and telcos are obliged to provide it, apparently).

The hilarious outcome of this is that there is a tiny (outhouse-size) brick building with a Verizon sign right off the edge of his property, surrounded on all sides by a corn field. My uncle has 3Mbit DSL service and the folks who live just on the edge of the closest town (population 1200) can get 384k or whatever it is. Everyone else there is screwed.

Re:Why whole disk? (1)

petermgreen (876956) | more than 6 years ago | (#24511695)

If you are in the last mile there is a broadband option for you, it sucks, but its a hell of alot better than dial-up. There are a couple companies that will offer you a connection via small dish sat link and AFAIK you should be able to get coverage pretty much anywhere in the US.
Sure but this discussion is about people on the move. Most people would not want to lug a satalite dish arround (only practical if travelling by road) and align it every time they need internet access. Not to mention the high subscription costs

So that leaves the cellphone networks and whatever is provided locally at the place you are going. In some places it may leave no practical connectivity option at all.

As for the rest of the world, well for all intents and purposes they don't exist anyway. This is a US forum.
I think you will find there are quite a lot of people from other countries here. Even if there weren't people do travel out of thier home countries.

Re:Why whole disk? (1)

liquidpele (663430) | more than 6 years ago | (#24503179)

Until the VPN concentrator goes down while she needs something very important. That's a horrible idea for anyone that could possibly need something urgent.

Re:Why whole disk? (4, Informative)

apparently (756613) | more than 6 years ago | (#24503905)

Or, you know tell her that she should not be storing ANY data on her computer. ALL data is to be saved to the network shares for backup control and security. If she needs to access something on the road, use VPN.

Riiiiiiiiight. Because your solution works really well on airplanes, client-sites w/o internet access, or anywhere else where network access may not be available.

Good job on coming up with novel solutions to difficult problems. Are you in middle-management by chance?

Re:Why whole disk? (2, Informative)

spinkham (56603) | more than 6 years ago | (#24508845)

The problem is that many programs store temporary working copies on the local disk no matter where you store the main file (Microsoft Office, I'm looking at you...).
If you have data worth stealing, full disk + swapfile encryption is the only way to go.

Re:Why whole disk? (5, Insightful)

Nos. (179609) | more than 6 years ago | (#24503399)

Just truecrypt the saved data.

Because there are too many "gotchas" to not do FDE these days. Did you configure all your applications to only cache/auto-save/etc to the "secure" area of the drive? Did that last update to application Y override those changes? What about hibernation mode? The pagefile?

Re:Why whole disk? (1)

grudy (206896) | more than 6 years ago | (#24504387)

The problem with that is that cache and "temporary" copies are not necessarily likely to be encrypted... For example, every time you open an Office file, a second copy (~whatever) is created. Also, not all users are bright enough (or are too lazy) to remember to place their "important" files into the safe. Also, the process of classifying "important" files becomes too subjective. Another consideration is user account information -- passwords and likes -- SAM, application credentials, VPN accounts, etc.

Re:Why whole disk? (1)

petermgreen (876956) | more than 6 years ago | (#24508489)

Just truecrypt the saved data.
The problem is that data gets stored places other than where the user explicitly saves it. Swap space and the temp directory are the most obvious, but if the app is badly behaved there could easilly be other locations too.

On *nix you can mount partitions with apps on read only and have all read-write areas encrypted but that isn't an option under windows. I guess you could use file permissions to a similar affect but you would have to be very carefull.

Encrypting everything is the safest

Only one really secure option (4, Interesting)

Gat0r30y (957941) | more than 6 years ago | (#24502861)

Hardware based encryption - have IT put in an FDE Drive. While software based encryption options are good, and most certainly better than nothing, the only really secure way to go is Hardware based.

Re:Only one really secure option (4, Informative)

croddy (659025) | more than 6 years ago | (#24503189)

Except sometimes, the box says AES and instead you get XOR. [] I'll take LUKS and dm-crypt over that any day of the week.

Re:Only one really secure option (2, Interesting)

harlows_monkeys (106428) | more than 6 years ago | (#24504529)

That Heise article was unclear. The clustering in their plot doesn't necessarily indicate XOR with a fixed block. The same thing would show up if a block cipher (even a very good one) was being used in ECB mode.

I note that after they assume XOR with a fixed block, and derive that block from one known plaintext sector, they say they could now decrypt the rest of the disk, but they don't say that they DID do that. Just that they could.

They need to actually do that decryption of other blocks, to see if it really is just XOR'ing with a fixed block, as opposed to, say, using a block cipher in ECB mode.

Re:Only one really secure option (3, Insightful)

this great guy (922511) | more than 6 years ago | (#24506245)

Nope. Whether the solution is software or hardware is absolutely irrevelant to the security of the cryptographic routines. Plus, the fact is that virtually all hardware products are proprietary and lack the peer-reviews that open standards or open source software enjoy. Just ask any decent cryptographer whether she would trust a black box (storage device with built-in encryption, proprietary "secure" protocol, etc), or peer-reviewed, open, standard solutions (TLS/SSL, IPsec, TrueCrypt, etc). BTW I look forward to the IEEE P1619 project coming up with a final standard.

Just look up the numerous stories about USB keys with built-in encryption that have been cracked for example.

Re:Only one really secure option (0)

Anonymous Coward | more than 6 years ago | (#24506321)

And you base this on.....? Oh right, nothing.

Re:Only one really secure option (0)

Anonymous Coward | more than 6 years ago | (#24507077)

In term of HW encryption, she could also go for an encrypted external hard disk, like the ones from LaCie. I have and it is so convenient to put all the documents I really want to protect.

didn't you hear? (5, Funny)

Anonymous Coward | more than 6 years ago | (#24502865)

Didn't you hear? They found the laptop in the same locked room where they thought it was missing from. So there's really nothing to worry about.

If it's business, enterprise or ultimate (4, Informative)

Toreo asesino (951231) | more than 6 years ago | (#24502867)

then Bitlocker will work fine. Otherwise you won't have it.

In fact, on a active directory, you can configure bitlocker for your entire network to automatically encrypt volumes and backup the TPM recovery information to the Active Directory if you so desire - []

Other than that, TrueCrypt works just as well for standalone machines.

Re:If it's business, enterprise or ultimate (3, Insightful)

Joe U (443617) | more than 6 years ago | (#24503245)

I recommend TrueCrypt for the average home user, but Bitlocker's AD integration makes it a no-brainer for a Windows network. If you don't have a TPM laptop, then you can use a thumb drive. The Bitlocker certificate is just a text file on the thumb drive. Just keep the thumb drive and the laptop away from eachother when not booting, losing both together doesn't offer any protection.

Re:If it's business, enterprise or ultimate (0)

Anonymous Coward | more than 6 years ago | (#24504621)

Business doesn't come with Bitlocker, and you really want to have TPM in your system if you use it and make sure you have a bios password to protect against the cold boot exploit.

drive crypt (3, Informative)

ya really (1257084) | more than 6 years ago | (#24502919)

They offer total 256bit AES disk encryption with DriveCrypt Plus Pack. It requires pre-boot authetication before you can do anything. It also comes with stronger container encryption, like 1344bit triple blowfish.

Option Four... the Dilbert option.. (4, Funny)

Channard (693317) | more than 6 years ago | (#24502933)

... do nothing and wait till your boss forgets about it or decides it doesn't need doing.

Re:Option Four... the Dilbert option.. (1)

T.E.D. (34228) | more than 6 years ago | (#24513411)

Actually, that's the Wally option.

I've taken to calling it the Wally Principle ("If you wait long enough, most problems take care of themselves"), but sadly few others know about it. Its easily more worthy of promotion than the "Dilbert Principle". However, for some strange reason, the Wally Principle's adherents aren't expending any effort to promote it. :-)

Truecrypt vote here (2, Informative)

BenjiTheGreat98 (707903) | more than 6 years ago | (#24503001)

I've been happy with Truecrypt. It is easy to use and the performance impact seems to be not that bad. I just make sure to never use sleep mode or anything like that. Just power off and on anytime I use it. I also setup my windows login to automatically log me in. I got tired of typing in one password and waiting for the next password. I figure if someone is good enough to break my truecrypt password then my windows password wouldn't stand a chance, especially if they had decrypted the data.

What brand laptop? (1)

weszz (710261) | more than 6 years ago | (#24503079)

One of my previous jobs used thinkpads, and they had stuff built in for security so needed 2 passwords just to get the laptops to start booting up. one secured the bios, the other did the hard drive I believe...

so maybe get your boss to get all new laptops... security is expensive, but it's worth it to get a new PC...

Re:What brand laptop? (1)

schwinn8 (982110) | more than 6 years ago | (#24508541)

Yeah, like Thinkpads aren't crackable? Sure, it's not "easy" as you have to get access to the motherboard, but it's not that hard with the right hardware in hand. Do a Google search and find out just how easy it is.

Re:What brand laptop? (0)

Anonymous Coward | more than 6 years ago | (#24509783)

Actually the hard drive password isn't easily turned off. The power on password is though. With the hard drive password on Lenovos you need to replace the firmware on the hard drive itself. So while it is still possible, most people aren't going to.

However I would recommend you use BitLocker if you have Vista already, otherwise go with TruCrypt. I use both, BitLocker for FDE and TruCrypt for my external hard drives and memory cards so they are compatible with other computers still. Then the key for my BitLocker FDE is my phone and a copy of it is on my camera, neither of which goes in the same bag as my laptop.

Bah, youngins!! (1)

dave562 (969951) | more than 6 years ago | (#24503089)

Back when I was a kid, we used KoH and we liked it!

Re:Bah, youngins!! (1)

KGIII (973947) | more than 6 years ago | (#24504167)

I used my Cap'n Crunch decoder ring. Go on, you know the routine. Off of my lawn!

Re:Bah, youngins!! (2, Funny)

treeves (963993) | more than 6 years ago | (#24505535)

Potassium Hydroxide?! The goal is to encrypt the disk, not destroy it!

Re:Bah, youngins!! (1)

Deagol (323173) | more than 6 years ago | (#24510999)

In case you're too young to remember or never heard of it, KoH was an encrypting virus [] of sorts. I recall playing with in in college in the early 90s. Was a pretty cool concept.

Re:Bah, youngins!! (2, Interesting)

treeves (963993) | more than 6 years ago | (#24514143)

Thanks for the info. I'm more than old enough, but I was primarily a Mac user at the time when that virus came out, it turns out. Interestingly, the link you gave describes it as KOH, not KoH, and even calls it "the potassium hydroxide program"!

Does the laptop have TPM; FDE Hard Drive? (3, Informative)

Deathlizard (115856) | more than 6 years ago | (#24503143)

If the Laptop has a TPM chip (many Lenovo Systems do and some Dell's I beleive) Go with something that takes advantage of that hardware. Bitlocker and PGP support it. I'm not too sure about Truecrypt.

Also, if the Hard drive and laptop supports setting a password (Almost all modern drives do. Most laptops do as well) Set a password. Especially if the Drive itself supports native encryption. This adds an extra layer of protection over software Data encryption. Also keep in mind that Native Hard drive encryption is OS agnostic and is usually faster and better overall than many software encryption packages.

Although keep in mind that every protection layer adds more complexity and reduces speed. This is especially true when it comes to data recovery. Make sure your boss understands that if something happens to the laptop, especially Hard Drive damage, The Data on the drive should be considered unsalvagable. Keeping a backup in a secure location (Say a Safe in the Main office also encrypted) is a very good idea.

many options available (2, Insightful)

groffg (987862) | more than 6 years ago | (#24503263)

Many options are available in addition to the 3 you've mentioned. The "best" choice depends on many factors, such as scalability, cost, and risk. TrueCrypt is free, but really isn't ready for enterprise use. As someone mentioned already, hardware-based FDE (like Seagate's Momentus drive) may very well be the most secure, but requires additional hardware acquisition and a time investment. BitLocker is an option, but requires upgrading to Enterprise or Ultimate (which can be done in-place, without a significant time investment, if I'm not mistaken).

Many other software-based products are out there, such as (off the top of my head) PGP WDE, Secude, WinMagic/SecureDoc, etc. The best option for your boss and your organization depends on multiple factors, factors that Slashdot readers are not privy to.

Re:many options available (1)

ratboy666 (104074) | more than 6 years ago | (#24503753)

"not privy to"

Of course we are -- the idea is new, inspired by reports of data theft. Obviously the organization is small; doesn't have a security officer for such matters. No real thought of security before, so someone who is not qualified (self admitted) has been made responsible.

The good news? Its Vista, the security is there -- "bitlocker" and that can make use of tpm chips. Recommendation? Use it, but PUSH ALL SECURITY QUESTIONS TO MICROSOFT.

The last point is critical. Say something like "Vista comes with *insert blurb* claimed to *blurb*, and it is support with the standard Microsoft *blurb*". Fill in the blanks, as appropriate. Next, try not to get involved in the implementation at all.


Checkpoint Full Disk Encryption (Pointsec) (1, Informative)

Anonymous Coward | more than 6 years ago | (#24503265)

You may consider Checkpoint Full Disk Encryption (formerly Pointsec). []

Re:Checkpoint Full Disk Encryption (Pointsec) (1)

compro01 (777531) | more than 6 years ago | (#24503541)

If it's anything like their VPN software (secure client) I'd be avoiding it. That thing has got to be one of the most finicky pieces of software I've had the displeasure of dealing with.

Re:Checkpoint Full Disk Encryption (Pointsec) (2, Informative)

greichert (464285) | more than 6 years ago | (#24506889)

I had the opportunity to deploy Pointsec on the site I was managing. It went really good, with only minor issues with 2 laptops (out of 20+ computers). They were resolved quite easily and without any loss of data. And BTW I never had any issues with their VPN client either :-) .

Does your boss travel overseas? (2, Interesting)

SanityInAnarchy (655584) | more than 6 years ago | (#24503375)

Does she even fly at all?

Customs, at least, has been known to demand the keys to a laptop, and having it obviously encrypted could delay travel significantly.

Also, there are significant problems with at least some FDE products, currently -- the "cold boot" cracks, in particular. Does she shut her laptop down every time, or only leave it on standby? Does the software actually purge the key from RAM on shutdown?

Other than that, well, do your own damned homework. []

I'd suggest BitLocker, mostly because it's built-in -- kind of like, "What would you suggest for unzipping files in Windows XP?" Well, probably the "Compressed Folder" feature, right?

Under other circumstances, I'd recommend Truecrypt or dm_crypt, because you really should be using open source software for anything sensitive -- but you specifically asked for Vista, so that's fairly moot.

But I haven't done my homework.

I use all three -- choose on security needs (4, Informative)

mlts (1038732) | more than 6 years ago | (#24503389)

I use all three, PGP Whole Disk Encryption on one machine, TrueCrypt on another, and one server has a TPM, so it, and its RAID arrays are BitLocker protected.

Each addresses slightly different security concerns. If you want to encrypt your disk with a password, and that's all you need, any of these will do the trick. If you want a hardware cryptographic token, so a thief can't obtain your encryption key by brute force, go with PGP Whole Disk Encryption, or BitLocker that supports a TPM with PIN functionality.

BitLocker is probably the easiest to implement, as you just install it, run software to check and partition the root disk. Then, save the recovery key on a USB flash drive (well away from the laptop). You can also save the recovery key on a TrueCrypt volume too. Once Bitlocker is enabled, the security of the machine will be the user passwords (especially any user with Administrator rights.) Make sure you have a decently long (16 characters, preferably more than 20) password to log on with. If you use BitLocker with a PIN and the TPM, you can get away with shorter user passwords if you hibernate or shut down.

Disadvantage of BitLocker -- Requires a TPM for decently secure functionality. TPM enabled laptops are rare, and desktops are rarer still, unless you explicitly buy a motherboard with one, or a "corporate" desktop.

TrueCrypt is a very good solution. It is licensed at no charge (donations are recommended), and is very secure. However, its intended for a single user machine. Using multiple passwords with it is kludgy at best. However for a single user, its very secure once enabled, and you burn a TC recovery CD.

PGP Whole Disk Encryption is the most versatile. It can use a TPM, USB flash drive, smart card, eToken, or none of the above, and use multiple ones in a list to authenticate for a hard disk to work. For example, my laptop has an eToken for hardware security, but as an emergency, I have a very long recovery passphrase if the eToken gets lost or someone locks it by too many guesses. Another example is a friend of mine who has a TPM on his laptop, but if that fails for some reason, he has two eToken keys as backup. PGP Whole Disk has a very good reputation, and is by far best solution for a business IT environment.

You can't go wrong with any of the three listed.

PointSec (1)

mzkhadir (693946) | more than 6 years ago | (#24503439)

I have used it in the past in the banking industry and it works well.

Simple (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24503543)

Format your shit, install Debian with full disk crypto LVM and encrypted swap. Maybe a PCMCIA card filled with thermite and a remote bluetooth detonator.

My experience with three options (3, Informative)

BenEnglishAtHome (449670) | more than 6 years ago | (#24503713)

I have useful experience with three products.

SecureDoc from WinMagic [] is the software solution we use at my big TLA. As administration headaches go, this one isn't so bad. The recovery processes are workable but not (that I can see) hackable by any thief. The way we have it set up, users get 15 shots at screwing up their machine before IT has to get involved, thus allowing most bozos to eventually get it right while not giving infinite opportunites to thieves. It's administrable over the network (in some ways) and, thus, suitable for big organizations.

At home, I still have one Windows machine and it's secured with PGP. [] I've never used it in a big networked environment so I can't comment on how easy it is to administer. It has one feature that I think is neat, though. You can hit TAB before typing in your passphrase and it will be displayed in clear text. (Normally your pass isn't echoed on screen.) Scoff if you will but on those bad days when I've had little sleep and am, perhaps, a bit hung over, my 59-character passphrase can sometimes be just one hurdle too far. Seeing the text on-screen can be a big help for those times when my head just isn't in the game.

Finally, hardware encryption is better. When my Windows machine was my primary (I now am almost entirely migrated to an Ubuntu installation that I installed from the alternate CD, enabling full disk encryption from the beginning) computer, I relied happily on Flagstone [] drives. I still have one of their USB Freedom drives for backups. The login schtick is more severe; you get few chances and your data goes bye-bye if you screw up. However, I like the fact that they are a real product, not vaporware like some of the encrypted drives from major manufacturers. You can call them up, give them a credit card number, and actually get the hardware. If you talk to the home office in England, you'll converse with smart, helpful, courteous people. All in all, they're a joy to deal with. Downsides? Prices are high and capacities low, but that's part of the deal when it comes to certified hardware such as they sell. Truly irritating downsides? The documentation, unless they've revised it recently, is not all that it should be. Still, I don't hesitate to recommend them.

no opensource full disk encryption for MacOSX (2, Informative)

ad454 (325846) | more than 6 years ago | (#24504031)

At least WinVista and WinXP users have several full disk encryption options, including the opensource TrueCrypt.

But Mac users are out of luck, since no opensource full disk encryption exists for the MacOSX. Neither TrueCrypt or Apple's FileVault support full disk encryption on MacOSX. The only option is the closed source Check Point Full Disk Encryption [] product.

But if it is not opensource, then I personally would not trust it not to have back doors, especially since multinational corporations left-right-and-center have been falling all over themselves to help the US and other governments spy on the general population.

Re:no opensource full disk encryption for MacOSX (0)

Anonymous Coward | more than 6 years ago | (#24504919)

yeah, but macos isn't opensource either. so what gives? just another hypocritical oss fanboi.

Personal experience (0)

Anonymous Coward | more than 6 years ago | (#24504033)

I will praise the forth option.

I have had a lot of experience personally with using Safeboot in an enterprise (banking) environment for all laptops that we release.

It is integrates very well into an AD environment and is very admin friendly.
On an encryption level we use 512 AES, but you can choose much stronger for the more paranoid among us.

My company went with truecrypt (1)

FictionPimp (712802) | more than 6 years ago | (#24504079)

After reviewing the costs of most commercial software for a mid size deployment we decided we could hack it out with truecrypt. I wrote a small database application that stores the recovery iso and the password for each machine (in case IT needs to get into the machine). So far truecrypt has worked great and is easy to install, we just drop an image then start the encryption process. Then we supply the end users with the password needed to unlock their machines (dynamically generated). We don't have to worry about them changing the password because they are not administrators on their computers.

Now if we can just figure out how to prevent them from keeping the password written on a sticky note.

Re:My company went with truecrypt (2, Insightful)

the_flyswatter (720503) | more than 6 years ago | (#24504291)

Now if we can just figure out how to prevent them from keeping the password written on a sticky note.

This is exactly why we need two-factor authentication for the encryption to be secure. If the password is too complex/long, it will be written down. If it's too easy/short, the password can be brute forced.

And they WILL write the password down.

Re:My company went with truecrypt (2, Insightful)

Shihar (153932) | more than 6 years ago | (#24505063)

Asking people to memorize a random 10 character password is pretty much futile. You make brute force attack harder, sure, but you just made social engineering attacks trivial. What is better, a user whose password is jesussaves1 or the user whose password is Dj7lasJ82k, but has it written on a piece of paper in his desk drawer? One requires a lucky guess or a detectable brute force attack, while the other just requires a janitor to open the desk drawer and copy the password.

People in security get to obsessed over the unlikely attacks (brute forcing or guessing a 6 letters + character and capital password) and utterly ignore it when they make social attacks trivial (minimum wage janitor paid to open the desk drawer and copy the password and name of the person who owns the office).

Ask your users to do something stupid and inconvenient, and they are going to respond by doing something stupid and convenient.

Re:My company went with truecrypt (2, Interesting)

FictionPimp (712802) | more than 6 years ago | (#24505717)

Actually the password generator I wrote makes 'speakable' password. These tend to be much easier to remember. so instead of 7yg$rt0 you get something like qB3r7! (ie qbert! short for the sake of the conversation).

We do allow them to set their own password if the really throw a fit, but it has to conform to our password policy (min 8 characters mixed). We figure that is enough security for us.

We did a testing rollout with our IT department first and then picked our worst users for a second test. Once we were sure they had no issues, we rolled out to everyone. If truecrypt supported usb key + password authentication for full disk encryption we would probably implement that on our 'high risk' systems.

Most of our systems are not high risk, they contain no 'dangerous' information such as student information. We decided to encrypt everything simply to get all of our users used to the idea of full disk and usb stick (all usb sticks are also to use truecrypt) encryption. We want to engrain this into the culture so that when someone does have a job where sensitive data might be transported on a notebook (say our CFO) they are already used to the idea.

TrueCrypt for sure using System Encryption (2, Informative)

al0ha (1262684) | more than 6 years ago | (#24504133)

As quoted from TrueCrypt, "System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), hibernation files, swap files, etc., are always permanently encrypted (even when power supply is suddenly interrupted)"

Implements a pre-boot authentication which means the TrueCrypt password has to be entered before the OS boots and can be installed and encrypt of the fly the current OS install and disk.

More info here: []

But remember, your boss must not be afraid of remembering a strong password and must never write it down.

Data Recovery is most important!!! (4, Insightful)

rtechie (244489) | more than 6 years ago | (#24504173)

When evaluating these products it's very important to remember that while one of your laptops MIGHT get stolen, MANY of your users WILL forget the password for their laptop and WILL get locked out. So key recovery is BY FAR the most important feature of these products. This really can't be stressed enough.

Which is why I'll tentatively recommend Bitlocker, since it's got the best data recovery capabilities (keys are automatically backed up to the AD server, etc.).

Pointsec (Check Point) was the only option for me (1)

grudy (206896) | more than 6 years ago | (#24504345)

Pointsec was and still is the leader in FDE -- Gartner Magic Quadrant 7 years straight. Check Point bought them in December of '06, and has maintained (read BOLSTERED) the product since the acquisition. P4PC Works VERY well, is fast, and is ridiculously easy to manage.

My team and I conducted a head-to-head with Safeboot, PGP, Truecrypt, Pointsec, and Utimaco about 6 months ago. Pointsec clearly came out on top. In spite of that, management opted to go with PGP (something about a Golf outing???). It was a nightmare! After hours and hours of challenges (and plenty of consultant bills), management ended up canning PGP and went instead with Pointsec.

Deployment of P4PC was a dream. A few things that are nice is that the initial encryption process will run in the background, and can be interrupted (power loss, shutdown, etc). Decryption / forensics / recovery are all well documented and easy to do. Authentication can be done with password, SmartCard, and / or tokens (must be the dynamic kind). There's a helpdesk feature in the event that password resets or one-time passwords are needed.

AT&T recently threw out Safeboot and deployed 600K seats of P4PC.

Oh... Did I mention Linux (RedHat and SuSE) and Mac OSX support?

Re:Pointsec (Check Point) was the only option for (0)

Anonymous Coward | more than 6 years ago | (#24506399)

You work for CheckPoint, don't you? C'mon, you can tell us. It'll be our little secret...

Vista Ultimate w/BitLocker even w/out TPM (0)

Anonymous Coward | more than 6 years ago | (#24504913)

I switched all my PCs to Vista for the security features (address layout randomization, UAC, protected mode browser, bitlocker) My PCs don't have TPMs so I use the flash drive method (and print out a copy of the recovery password, as well as back the password file up to several other disks). Bitlocker was cake to set up. I did my laptop last night. I had one big partition, vista took care of splitting it into 2 partitions and encrypting. First it tested that my laptop could access the flash drive before booting, and then it encrypted the volume in the background so I could keep watching SageTV. Good show.

Re:Vista Ultimate w/BitLocker even w/out TPM (1)

mlts (1038732) | more than 6 years ago | (#24505847)

One Caveat about BitLocker though. If you are adding roles in Windows Server 2008, disable BitLocker (no need to decrypt all volumes, just disable it), then re-enable it. If you don't, the TPM will consider the changes as unauthorized modifications, requiring the recovery key.

All and all, BitLocker is decent security, especially for both laptops, and servers in physically insecure locations (Exchange servers in branch offices, Active Directory replicas being used by contractors in call centers.) Just make sure to have your recovery keys to volumes either safely stored in the Active Directory schema, or some safe place just in case the TPM doesn't unlock the drive on boot.

Be careful with Bitlocker (2, Informative)

SiriusStarr (1196697) | more than 6 years ago | (#24504959) [] Just reading that would make me gravitate towards PGP or TrueCrypt.

Re:Be careful with Bitlocker (1)

weicco (645927) | more than 6 years ago | (#24511377)

Oh for Pete's sake! If BitLocker prevents you from tampering with the boot-loader, it is somehow considered as bad? I'm really not sure where's the logic in that.

Give PointSec a try (1)

sapran (972484) | more than 6 years ago | (#24507017)

I had such experience of making choice between FDE solutions half a year ago. TrueCrypt 5 had sucked on several Dell laptops. Vista just didn't boot normally, safe mode only. We stopped at PointSec, it's deployed very easily and performs perfect AD integration. But if you are planning to rovide PGP messaging services at the same time, then maybe PGP Desktop would be the better choice. Good luck!

against TrueCrypt (1)

martin (1336) | more than 6 years ago | (#24507863)

Bruce Schneier and gang aren't impressed by truecrypts product [] .

Also gotta look at this from a risk point of view - and as previous mentioned don't forget those border guards in the US!

Re:against TrueCrypt (1)

daveewart (66895) | more than 6 years ago | (#24508327)

> Bruce Schneier and gang aren't impressed by truecrypts product .

Their problem is relating to the deniability of the encryption. That's not an issue for many, I guess...

TrueCrypt is good for a one-off (1)

daveewart (66895) | more than 6 years ago | (#24507975)

TrueCrypt is a good idea if this is essentially a one-off standalone machine. Just remember that, given you're talking about Vista, take care during the TrueCrypt installation: it will default to switching the swap file off, which is a good idea in many circumstances (although unnecessary for full-disk encryption) but will kill any Vista system with 1GB RAM.

You can tell this happened to me, can't you? The Vista laptop I tried it on took about 30 minutes to boot with "only" 1GB of RAM and no swap file. ;-)

The answer (2, Informative)

duffbeer703 (177751) | more than 6 years ago | (#24508579)

Vista Bitlocker is good, but has some issues, as it uses Windows authentication, and not pre-boot. Its two-factor system is kinda weak. If you're a small business worried primarily about casual theft, it's a good solution.

TrueCrypt has pre-boot authentication, which is much more secure. But its encryption implementation is not necessarily FIPS certified, and to my knowledge the system doesn't have common criteria certification. For a business user, the ability to recover a key/password is minimal... so use with caution.

PGP/SafeBoot/Pointsec/WinMagic are all commercial FDE applications that work well, but have specific features that matter moer to some people. PGP is nice because its universal server can provide other services like email encryption as well. SafeBoot has robust management, particularly if you are a McAffee AV customer. Pointsec was the only solution that allowed you to force pre-boot authentication after hibernating the PC. They also have a (very expensive) small business option that doesn't require a server. WinMagic has excellent smart-card integration, and integrates well with PKI solutions.

Pointsec (1)

bjackson1 (953136) | more than 6 years ago | (#24509271)

At my work (a large fortune 500 company) we use Pointsec and it works pretty well. I haven't had any problems with it, but I don't know how much it costs, etc.

Hardware FDE (1)

xijix (143366) | more than 6 years ago | (#24509419)

I've seen this eluded to earlier in the thread, but personally I think it worth looking at HD's that support native FDE instead of a software solution. You don't have the same OS limitations, performance hits, or potential incompatibilities. Nearly all drive manufacturers have announced some sort of native encryption and some are already shipping. We are using Seagate drives today in our Dell systems and its incredibly painless. []

The answer is dependent on your environment. (1)

dirtdart (1340403) | more than 6 years ago | (#24510811)

This is by no means a simple question. A simple google search may give you some options, but developing the criteria alone to make an effective decision on a solution that fits your environment is a difficult process.

There are several factors to consider such as key management, removable media protection, cost, multiple user logons, and reporting/auditing. Do you want to deal with the VP that changed the pre-boot password so no one else could get their data, then forgot it the next day? If you are using Truecrypt your answer is "did you back it up?". Will you really regret a solution that does not address removable media if that same VP has her sensitive stuff backed up on a USB drive that isn't encrypted inside the laptop bag that gets stolen with the laptop in it. This is a very complex issue; a simple google search can't give you that answer.

I attended a SANS "What Works, Mobile Device Encryption" last year as part of my organizations search for a FDE solution. There are a number of solutions that I didn't see mentioned here. Some googlefu should get you a large selection of products that can meet the minimum criteria. We ultimately went with Utimaco Safeguard Enterprise. It was definitely the best choice for our organization. It even assists with key management for Bit Locker for data recovery. Depending on your needs you may even want to consider Credant which is a file based over whole disk encryption. It does meet most organizations' requirements for protection and streamlines support. The real question you should ask is how do I develop the criteria for selecting a product?

Depending on the number of computers you are concerned with protecting you may want to just move with Truecrypt as a CYA and then reconsider as time permits. It is paramount that you educate your users about their data as part of the process. Otherwise your efforts are futile.

more info. (1)

meato7 (1340399) | more than 6 years ago | (#24511301)

more info on hardware based encryption... [] IMO best choice FDE drive, they come from Seagate, fujitsu and hitachi. Seagate has best "out of box" solution. FDE is faster, cheaper, easiest to use, easiest to manage. [] (Since your not managing large numbers you don't need the servers...if you did manage 10-100,000, the servers would be a must, and well worth it) Dell and Lenovo now sell laptops with the choice of FDE drives. check out vendor, awesome customer service (these guys know what they're doing)

TrueCrypt is the answer (1)

Random Guru 42 (687672) | more than 6 years ago | (#24512723)

I'd suggest going with TrueCrypt.

BitLocker might also be good, but I can't use it on my laptop, as it doesn't have a TPM in it. However, it appears pretty sound, and for laptops with a TPM it comes down to whether or not the user considers the T to stand for trusted or treacherous.

TrueCrypt, on the other hand, doesn't require any particular hardware to work. It does its job completely in software, which could also make for easier recovery if the laptop itself gets damaged -- simply pop the HDD into another machine, type in the same password as usual, and there you go! (Of course, that might also be seen as a security hole.)

I'm not even considering the PGP product as I've never actually encountered it.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?