×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How To, When You Have To Encrypt Absolutely Everything?

ScuttleMonkey posted more than 5 years ago | from the first-step-is-teaching-people-how-not-to-be-stupid dept.

Encryption 468

Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

468 comments

TrueCrypt or Wait for On Drive Upgrades (5, Informative)

eldavojohn (898314) | more than 5 years ago | (#26786803)

I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives ...

I think you're going to find most people advising you to choose TrueCrypt [truecrypt.org] which boasts:

  • Creates a virtual encrypted disk within a file and mounts it as a real disk.
  • Encrypts an entire partition or storage device such as USB flash drive or hard drive.
  • Encrypts a partition or drive where Windows is installed (pre-boot authentication [truecrypt.org]).
  • Encryption is automatic, real-time (on-the-fly) and transparent [truecrypt.org].
  • Provides two levels of plausible deniability [truecrypt.org] , in case an adversary forces you to reveal the password: 1) Hidden volume [truecrypt.org] (steganography) and hidden operating system [truecrypt.org] . 2) No TrueCrypt volume can be identified (volumes cannot be distinguished from random data).

I think they're on version 6.1a and I have been impressed with them. You may want to try benchmarking [truecrypt.org] the various encryption algorithms it offers.

... but i am concerned about overhead and speed penalties.

Aren't we all. I mean, no one wants an Office Space like scenario where every day before you leave you have to wait for the damn little bar to cross the screen to save your progress for the day. You have another option [slashdot.org] which is to wait until the drive manufacturers build all that into the hardware's firmware so that it is as fast as they can make it.

I wouldn't recommend waiting that long, however.

Here's my formal suggestion: do a small test on a few users or even a few devices no one depends on, some USB drives, etc. Use them yourself and see what kind of overhead (for both user and device) we're talking about here. Then weigh that with how much comfort you get with universally encrypting everything. If A is greater than B (with a sinister sounding name like 'Dark Neuron' who knows?), draft up a plan. Otherwise, just wait until you have the funds to upgrade the hard drives to those with the built in encryption.

I do not know for certain but I do not believe there is a painless push-across-the-network way to do this ... I also would feel very uneasy if someone assured me they had a method to do that. Drive encryption is one of those seemingly trivial but necessary reasons why companies have many system administrators and not some automagical solution.

TrueCrypt (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26787085)

You want TrueCrypt.

It's probably better than a hardware solution. They keep screwing up and snake-oiling the hardware ones, but you can audit TrueCrypt (and people have), and pre-boot authenticated system drive encryption is pretty much what you want.

As for speed... I don't know what you're worried about. AES-256-XTS (best-in-breed, the new standard, which TrueCrypt pioneered and uses) runs at over 150MB/sec in benchmark, and that's on one core. Your hard disk very probably doesn't run that fast.

All our machines are encrypted using similar means, and we've never experienced any problems with performance.

PGP's Whole Disk Encryption isn't as good - that kept stalling in kernel mode under XP, causing hiccups on lots of disk accesses; and eventually the driver bluescreened on every boot and there was absolutely no way we could get it back, which lost us terabytes of data... but TrueCrypt has caused us no such problems, and costs nothing. (If it worked with the leftover eTokens from our earlier PGP deployment, it'd be perfect.)

Re:TrueCrypt or Wait for On Drive Upgrades (-1, Flamebait)

Brian Gordon (987471) | more than 5 years ago | (#26787165)

Encrypt eveything? You're going to have to use (unencrypted) key pairs to access your data, which can be compromised just as easily as the hard drives they're protecting. You can encrypt your key with a password (I'm sure truecrypt supports this) but then you might as well just have used a password in the first place instead of encryption. I'm not saying that encryption won't make things more secure but it'll be an expensive headache with fewer absolute gains than what you'd think.

What you do is store sensitive material on secure servers and have people check out copies of material that they have access to. I'm sure keeping sensitive data off local hard drives would be easier than actually protecting all those hard drives.

Re:TrueCrypt or Wait for On Drive Upgrades (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26787409)

then you might as well just have used a password in the first place instead of encryption.

You, sir, are a fucking moron. Please stop posting and do some research before spouting off nonsense.

Re:TrueCrypt or Wait for On Drive Upgrades (1)

Spazztastic (814296) | more than 5 years ago | (#26787569)

then you might as well just have used a password in the first place instead of encryption. You, sir, are a fucking moron. Please stop posting and do some research before spouting off nonsense.

I second AC's statement. The GP says to "keep everything on a secure server." Do you know how slow it would be to have to grab all your data off a remote server on a laptop from remote sites? Don't mod him insightful, read what he actually said.

TrueCrypt Supremacy. I've had it deployed at many organizations and we've seen no performance decrease. One thing to keep in mind is to keep the pagefile /enabled/ when you do full disk encryption. I may be incorrect in doing this, but since the disk is encrypted what's the harm?

Re:TrueCrypt or Wait for On Drive Upgrades (1)

sswanny (1374911) | more than 5 years ago | (#26787571)

Coming from an Org that encrypts everything the performance hit is not as bad as you might think. Boot times are slower but disk access is not really noticeably slower. Brian Gordon....I'm glad you aren't managing my IT shop or Information Security dept.

Re:TrueCrypt or Wait for On Drive Upgrades (5, Funny)

Hal_Porter (817932) | more than 5 years ago | (#26787657)

Coming from an Org that encrypts everything

Tom Cruise? Is that you?

Re:TrueCrypt or Wait for On Drive Upgrades (3, Insightful)

gregmac (629064) | more than 5 years ago | (#26787539)

When people check data out though, it has to get stored somewhere. That somewhere might be a local disk, or a USB stick, etc. So those places need to be encrypted if you want to protect against lost/theft.

Your server can be sufficiently protected (physically and virtually) that it does not need the drives encrypted - encryption does not protect against over-the-wire attacks anyways. While it is probably unreasonable to protect EVERY pc from being stolen, it is not unreasonable to protect servers from being stolen - eg, an alarm that goes off way before anyone gets near the server room. 24/7 guards, if you can afford it, etc.

Re:TrueCrypt or Wait for On Drive Upgrades (4, Informative)

pavon (30274) | more than 5 years ago | (#26787553)

You can encrypt your key with a password (I'm sure truecrypt supports this) but then you might as well just have used a password in the first place instead of encryption.

WTF? If someone steals a computer and puts a drive in another computer the windows/BIOS password won't do shit, encryption will.

What you do is store sensitive material on secure servers and have people check out copies of material that they have access to. I'm sure keeping sensitive data off local hard drives would be easier than actually protecting all those hard drives.

No it won't. If they need to use the data then it will be cached on their computer whether it is stored centrally or not. And if they weren't using the data then it wouldn't have been on the computer to begin with. Centralization will only help if you move from thick-client to a thin-client-like processing of data. That will limit the amount of distribution of sensitive manner - "checking data out" won't.

Re:TrueCrypt or Wait for On Drive Upgrades (4, Informative)

PotatoFarmer (1250696) | more than 5 years ago | (#26787619)

What you do is store sensitive material on secure servers and have people check out copies of material that they have access to. I'm sure keeping sensitive data off local hard drives would be easier than actually protecting all those hard drives.

I'm not so sure about that. The deal with whole disk encryption is that it's fail-safe; it doesn't matter if something bad happens, the data is stored in a secure state by default. A check-out model doesn't give you that.

Also, speaking from experience, it's incredibly difficult to get end users to even understand what sensitive data is, much less train them how to work with it in a secure manner. Any security model that relies upon educated (and diligent) users is probably going to fail sooner rather than later.

Re:TrueCrypt or Wait for On Drive Upgrades (4, Informative)

Shadow-isoHunt (1014539) | more than 5 years ago | (#26787411)

TrueCrypt isn't without it's bugs. Both 5.1a and 6.0a have cost me two windows installs(one Win2k3, one Win XP pro), which couldn't be recovered with the recovery disk. 6.1a won't even install on my Inspiron 9400, giving me a "memory parity error" on the initial reboot test for full drive encryption. If you want something to trust your data to, truecrypt is not that program(yet).

Re:TrueCrypt or Wait for On Drive Upgrades (4, Insightful)

Spazztastic (814296) | more than 5 years ago | (#26787599)

6.1a won't even install on my Inspiron 9400, giving me a "memory parity error" on the initial reboot test for full drive encryption.

Have you run memtest86+ [memtest.org] and let it go for at least two full tests? Could be one of your sticks is bad.

Re:TrueCrypt or Wait for On Drive Upgrades (0)

Anonymous Coward | more than 5 years ago | (#26787521)

Wasn't there someone who said that the Trucrypt hard-disk driver for Windows was faster than Microsoft's?

TrueCrypt is very fast (3, Informative)

tyler_larson (558763) | more than 5 years ago | (#26787727)

Truecrypt is fast. I have it on all my computers and backup devices that handle sensitive information, and there is zero slowdown visible to the user, even for IO-intensive operations. Steve Gibson from the "security now" podcast did his own benchmark where he created a drive image and timed how long it took to defrag the drive, then restored the bits from the image, encrypted with TC, then timed the defrag again. He then repeated the process three times because he didnt believe the results -- the encrypted filesystem ran FASTER. Take the anecdote for what it is, but the principle seems to hold true in my experience too. TrueCrypt is damn fast. It chews a few % of your CPU time when in use, but it doesnt slow things down.

Re:TrueCrypt or Wait for On Drive Upgrades (0, Flamebait)

duffbeer703 (177751) | more than 5 years ago | (#26787741)

TrueCrypt in an enterprise? Hahaha!

What happens when somebody loses their password or keyfile? Or you get an subpoena for a laptop or usb key's content?

Unfortunately, no open source solution exists. Look at vendors like PGP, McAfee, Pointsec, etc. The outrageous cost is offensive, but you need to pay to pay in an enterprise environment right now.

Why wait? (1)

pavon (30274) | more than 5 years ago | (#26787815)

Seagate sells drives that do that today. If you are concerned about theft, and your motherboard supports it, that would absolutely be my first recommendation.

If you are also concerned about back doors, or just don't trust that the drive manufactures implemented their encyption correctly, then TrueCrypt is the best cross-platform software encryption method available. I wouldn't recommend using it for whole disk encryption though - it's just too slow. Use hardware for your first line of defense, and then use a TrueCrypt partition to store all the known sensitive files.

Ironkey has good hardware encryption for USB flash drives. There are others that do as well, but be careful because there are a lot of crappy flashdrives whose encryption is a complete joke. TrueCrypt is also a good choose for flash drives.

I haven't found an ideal solution for large external harddrives. AFAIK, sticking one of those hardware-encrypted drives into a USB caddy doesn't work because there is no mechanism for providing the password to the drive. eSata might work if your computer supports it. Otherwise you are stuck with software encryption.

True Crypt (0, Redundant)

fork_daemon (1122915) | more than 5 years ago | (#26786807)

truecrypt seems to be the best option.

PLAESE BACK UP FRIST!!! (5, Funny)

linhares (1241614) | more than 5 years ago | (#26787407)

Plase back everything up frist! Send it to us at editor@wikileaks.org and we'll store that data for you for free. We have mirror sites to protect the data; just send it before encrypting it.

Hard Drive Encryption - Theory vs. Reality (3, Funny)

Concern (819622) | more than 5 years ago | (#26786809)

Let me explain to you how this works. In pictures:

http://xkcd.com/538/ [xkcd.com]

Re:Hard Drive Encryption - Theory vs. Reality (1)

resonantblue (950315) | more than 5 years ago | (#26786963)

... don't forget to look at the hidden title text on that one. I think that sums it up pretty accurately.

Re:Hard Drive Encryption - Theory vs. Reality (1)

ShieldW0lf (601553) | more than 5 years ago | (#26787623)

More like,

"Argh, I lost my key! I lost all those files that we need to get the government off our backs, and all our customer lists, and everything! Shit! We just went out of business!".

Re:Hard Drive Encryption - Theory vs. Reality (5, Funny)

Sancho (17056) | more than 5 years ago | (#26787133)

Of course, if you're using Truecrypt, they won't know when to stop hitting you.

Re:Hard Drive Encryption - Theory vs. Reality (4, Funny)

Rinisari (521266) | more than 5 years ago | (#26787209)

Yeah...

Encryption will save your and your institution versus legal attacks, but if others' "people" may talk to your "people" with a wrench, then only iron will can save you.

Even biometrics can be fooled (e.g., eyeballs and fingers aren't that hard to remove these days).

Re:Hard Drive Encryption - Theory vs. Reality (0)

Anonymous Coward | more than 5 years ago | (#26787697)

Try keeping a believable pulse, complete with oxygenated blood, going in a removed eyeball.

Re:Hard Drive Encryption - Theory vs. Reality (2, Insightful)

ShieldW0lf (601553) | more than 5 years ago | (#26787773)

Try keeping a believable pulse, complete with oxygenated blood, going in a removed eyeball.

Try replacing your eyeball, once I've made a functional duplicate, and published the design online.

Re:Hard Drive Encryption - Theory vs. Reality (3, Funny)

BrotherBeal (1100283) | more than 5 years ago | (#26787805)

eyeballs and fingers aren't that hard to remove these days

These days? Bodily mutilation is like the GEICO of injury - so easy, a caveman could do it.

Re:Hard Drive Encryption - Theory vs. Reality (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26787217)

Let me explain to you how this works

It works exactly like your front door lock: it raises the cost of caring. When it costs $5 for a wrench to find out whats on the drive, you have to care at least $5 to bother trying. Drives and usb sticks will continue to be stolen and resold for their value as storage devices, but anyone wanting to get the information stored on them will have to care a whole lot more than $NZ18 [slashdot.org].

Theory vs. Reality - Seriously (5, Insightful)

BenEnglishAtHome (449670) | more than 5 years ago | (#26787263)

That comic has been making the rounds. It's cute, but not applicable.

If the submitter is in an organization with thousands of machines, the notion that any user will be required to keep their password confidential in the face of torture is laughable. That's for specially trained operatives, soldiers, and other assorted heroes. Those of us in the normal world will probably adopt a more rationale perspective. If someone were crazy enough to steal one of our laptops, simultaneously snatch the user, and threaten them with torture, our folks know to give up all passwords, immediately. We're only required to keep data confidential where it is reasonable to do so. When floods sweep away your car, wave goodbye to your laptop in the trunk. When someone threatens you physically, tell 'em what they want to hear.

Our people are more important than our data. Our people are more important than the publics data. If we lose a chunk of data, we have ways to reconstruct what was lost and mitigate damage. If we lose an employee, there is no way to achieve a good outcome.

Reasonable?

Re:Theory vs. Reality - Seriously (0)

Anonymous Coward | more than 5 years ago | (#26787617)

Absolutely. Couldn't have said it better myself. Bruce Schneier would be proud.

Re:Theory vs. Reality - Seriously (0)

Anonymous Coward | more than 5 years ago | (#26787819)

Depends. If your data is going to put someone (or lots of people) in physical danger then it's not so clear cut. You would be surprised at how much data qualifies as physically dangerous even at normal companies.

Or consider the fact that incriminating data could be considered physically harmful as well.

Re:Hard Drive Encryption - Theory vs. Reality (4, Insightful)

ObsessiveMathsFreak (773371) | more than 5 years ago | (#26787471)

No. Let me explain to you how this works, with a story link [slashdot.org].

Companies are storing more, and more, and more, and more, and more information. About their customers, about their suppliers, about themselves, about employees, about employees friends, about customers friends, about customers employees, etc , etc, etc. It's like a Panopticon Party, and everyone with a datacentre is invited. With hard disc space costs plummeting, processor power rising, and networked recorders becoming ubiquitous, companies and managers everywhere have succumbed to the data deluge, and have meticulously stored and categorized every last bit they can lay their hands on. (For what purpose is a question for another day).

The result. Exabytes of data sitting idle on servers, unencrypted, waiting to to stolen. Predictably it is, usually with nothing more than a USB key, or USB hard disc. The people who pay for such illicit data presumably want it all for something. If the data was even encrypted in the most basic fashion, most of the constant data breaches we here about would never have occurred.

Companies have two options. First, stop gathering and storing this data. That will never happen. Most compaines are data junkies by this point. Secondly; Encrypt, Everything. Everything. Any unencrypted portion of your network is a data breach waiting to happen. Even the slightest crack is a PR disaster waiting to happen. I don't care if its a telnet client on a headless offline BSD system, sitting in a securely locked room in the basement. Someone WILL find a way to lose data using it.

I applaud the submitters goal. It is a worthy one, and is likely the only real thing standing between your credit card number and a fraudsters ebay login page. More power to them.

Expect it to be slow (1)

jimbobborg (128330) | more than 5 years ago | (#26786821)

SAIC used encryption on all of their Windows laptops. There was a huge speed penalty in startup time and starting applications.

Re:Expect it to be slow (0)

Anonymous Coward | more than 5 years ago | (#26786849)

I'm doubtful that hurt a government contractor too much. Hell, most of the users probably never noticed, as they likely take mandatory 15 minute breaks immediately following turning their computers on.

Re:Expect it to be slow (1)

NobodyExpects (843016) | more than 5 years ago | (#26787017)

Software encryption is slow, but using drives with encryption on the hardware [seagate.com] will be quicker. I'm not making a product recommendation with Seagate, I understand Fujistsu [crn.com] also has a FDE solution. In an enterprise environment, you can set up centralized password recovery utilities (for when the user goes under the bus, or over the wall to your competitor)...

Re:Expect it to be slow (1)

QuantumRiff (120817) | more than 5 years ago | (#26787457)

It does go quicker in hardware, but there are lots of gotchas. Do you update machines in the middle of the night and have them reboot? your users will come into the office in the morning, to find their PC still waiting to have the password or finger swipe done in the bios. The software to manage all the keys for these seagate drives is not really there yet. Trying to manage thousands across domains is a pain, and good luck if somebody forgets a password.

Hiding Something? (0)

Anonymous Coward | more than 5 years ago | (#26786833)

MUST... HIDE... PORN...

Yeah... (3, Insightful)

bytethese (1372715) | more than 5 years ago | (#26786845)

Don't do it.

A subtle balance between encrypting most essentials and leaving non-essentials unencrypted. For example, you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.

Also, watch how external USB keys are encrypted. if you deal with clients and offer loaner machines, their USB drives could become encrypted and useless when they return to their own office.

I'm all for encrypting, however hopefully the higher ups also consider the potential performance hits and liability issues.

Re:Yeah... (5, Informative)

quickOnTheUptake (1450889) | more than 5 years ago | (#26787145)

I've heard that full fs encryption on higher end computers has a negligible performance impact (cpu can generally keep up with the hdd) but on lower end machines esp. netbooks, the performance impact can be appreciable. Here is an article with benchmarks [phoronix.com]

Re:Yeah... (1)

bytethese (1372715) | more than 5 years ago | (#26787303)

Yes, but in today's economy who is buying 1000's of new machines?

Personally, the firm I work for held off it's normal 3yr rollout of new machines and plans to keep these laptops at least another 1-2yrs. Currently we have 1.83GHz T60's with 1GB RAM and 5400rpm SATA I HDD's. I wouldn't want to throw full disk encryption on those guys, our image is already "slow" enough. :)

Re:Yeah... (4, Interesting)

number11 (129686) | more than 5 years ago | (#26787183)

you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.

Yeah, but if you're running Windows, be sure to get the swap file (depending on security concerns, maybe having Win zero the swap file at shutdown might be enough) and all that crap in Documents and Settings. If concerns run to file/folder names, don't forget the MRU lists. I do have a Truecrypt partition, but regularly find bits and pieces of stuff scattered here and there on C: unencrypted.

Win does not segregate data in a helpful fashion. If my security concerns were serious, I wouldn't dare anything less than whole disk encryption. Actually, I'd probably stop using Windows.

Re:Yeah... (5, Interesting)

Lumpy (12016) | more than 5 years ago | (#26787235)

How about the following...

"My presentation is on this drive and I forgot the password, get my files for me!"

users dont like it when you say, " sorry, but unless you remember your password all your files on that drive are gone forever."

That stopped it at my last IT gig, I mentioned that response to the CTO and he said...

"oooh, Did not think of that. let's skip encryption."

Re:Yeah... (3, Interesting)

SatanicPuppy (611928) | more than 5 years ago | (#26787613)

If it's corporate, just make them encrypt it using their key and a corporate master key. Then you can decrypt it using the master key if some boneheaded user loses their key. You should do this anyway to prevent some user from walking with all of their data, and to maintain SoX compliance.

Obviously this will increase the overhead, but frankly, encryption should be used sparingly anyway.

Re:Yeah... (4, Informative)

Vancorps (746090) | more than 5 years ago | (#26787659)

I can't tell, are you joking? With all the sarcasm around Slashdot it's sometimes difficult to tell if someone is being snarky.

The scenario you mention wouldn't happen unless a half-baked encryption scheme was used. HP, RSA, IBM, and even Truecrypt all have recovery options ranging in levels of difficulty to implement. RSA's key management tools are quite handy but you definitely pay a premium for them. HP's are clunky like all HP software, IBM has been doing it for years but again you pay and arm and a leg.

With Truecrypt you create two to three thumbdrives when you do the initial encryption, two of them store the master encryption key and the third has whatever key is needed for authentication depending on how you want to deploy it. The only fault I have with Truecrypt is that there are a dozen ways to deploy it so you have to read and plan very carefully before deploying it on any level.

Once you have your flash disk you copy its contents to an encrypted folder on your SAN somewhere and keep the flash drive in a properly fire-proof safe. One flash drive has the keys for over a hundred machines with room for plenty more, keeping two copies ensures that a flash drive dying won't leave your data inaccessible during transport to the server and should the SAN experience some sort of data loss you can go back to the flash drive to recover keys.

Encryption is pretty scary as your keys are extremely important as you mention, once the key is lost then so is the data. So you take a few precautions ahead of time and then you don't need to worry.

Re:Yeah... (4, Insightful)

Kjella (173770) | more than 5 years ago | (#26787677)

users dont like it when you say, " sorry, but unless you remember your password all your files on that drive are gone forever."

That stopped it at my last IT gig, I mentioned that response to the CTO and he said...

"oooh, Did not think of that. let's skip encryption."

There's exactly two WTFs here, you and the CTO. We have full disk encryption, but there's a support procedure to identify and get a password reset code. And if all else fails, IT has an extra master login to decode the disk. I don't know what truecrypt has but even a cursory look at the available products would have told you that. No sane business would ever work so that if an employee got run over by the bus, everything that person has been doing is gone forever.

Have fun with management (0, Flamebait)

jgtg32a (1173373) | more than 5 years ago | (#26786869)

Maybe its just the corporate environment that I'm in and please I would love to be wrong. But from what I can tell a good number of open sourced products just don't scale up to the enterprise level.

There aren't any tools that manage them centrally and allow for compliance and auditing.

Re:Have fun with management (5, Funny)

cs02rm0 (654673) | more than 5 years ago | (#26787373)

Maybe its just the corporate environment that I'm in and please I would love to be wrong. But from what I can tell a good number of open sourced products just don't scale up to the enterprise level.

There aren't any tools that manage them centrally and allow for compliance and auditing.


Crap. Has anyone told Google yet? Best get them to switch to Windows quickly!

Re:Have fun with management (1)

fifedrum (611338) | more than 5 years ago | (#26787525)

In this case, the solution being pushed most often is installed on an individual disk to disk basis. There's no scale in that. Support is the same as any other application forced on the users.

And I could easily list a good number of open source projects that scale just fine. Postgresql, postfix, sendmail, linux, gcc, apache, perl, php to name but a few.

Dont. (5, Insightful)

spikenerd (642677) | more than 5 years ago | (#26786911)

"Security" that gets in people's way is a security threat, because people will find a way to work around it, and be worse off because of it. Never try to lock down everything, or you'll have no control over what is compromised. Figure out what you really need to secure, and lock that down. Really. Trying to secure everything is a sure sign that someone lacks the knowledge to make security decisions.

password (2, Insightful)

Anonymous Coward | more than 5 years ago | (#26786927)

Encryption is easy. Password distribution and protection is hard.

Just install Ninnle! (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26786949)

Several agencies of the US government have been using Ninnle Linux for encryption purposes. It's only necessary to engage the one ultra secure switch and all devices run under 1024 bit encryption, the securest yet and a Ninnle Labs innovation.

Re:Just install Ninnle! (0)

Anonymous Coward | more than 5 years ago | (#26787505)

Those guys in the Ninnle Labs sure are smart!

Key Management (2, Insightful)

John Hasler (414242) | more than 5 years ago | (#26786967)

Have you worked out a complete plan for key management for all these encrypted devices?

Re:Key Management (1)

oobayly (1056050) | more than 5 years ago | (#26787175)

Yup, this is the most important part. I was reading an article on the Register entitled "Users: The weakest link in laptop security":
http://www.theregister.co.uk/2009/02/09/laptop_security_weakest_link/ [theregister.co.uk]

I think this comment sums it up:
http://www.theregister.co.uk/2009/02/09/laptop_security_weakest_link/comments/#c_423637 [theregister.co.uk]

What's the point of nigh-on impossible to crack encryption when the user has as good as written all the credentials on the outside of the computer.

Personally, I prefer the idea of encrypting volumes on which I store important data. Other stuff that isn't sensitive can be dumped anywhere else (within the bounds of common sense of course)

Re:Key Management (1)

nizo (81281) | more than 5 years ago | (#26787361)

Magic marker and a bunch of sticky notes?

(Yes, I am kidding. Unless you use edible ink/sticky notes.)

Re:Key Management (1)

sakdoctor (1087155) | more than 5 years ago | (#26787595)

I keep my keys on a USB disk.
I swallow the disk and wait for it to come out the other end. Rinse (literally) and repeat.

Pointsec (1, Informative)

religious freak (1005821) | more than 5 years ago | (#26786973)

Open source? Nope. But Pointsec is an impressive product. I've been using it for years and have noticed zero performance impact.

Re:Pointsec (1)

plierhead (570797) | more than 5 years ago | (#26787117)

Truecrypt has worked well for me on my laptop for a long time - which runs Vista and crashes on a weekly or more basis, so far never causing data loss on the Trucrypt drive. For office applications at least there is no noticeable performance hit.

Re:Pointsec (1)

TyIzaeL (1203354) | more than 5 years ago | (#26787277)

I've had no problems with TrueCrypt on Vista. However, the performance hit is somewhat noticeable.

This is on an Eee PC 1000H though.

Re:Pointsec (1)

rockbottoms (1393173) | more than 5 years ago | (#26787469)

I've noticed copying data to/from the encrypted volume takes a little longer than say copying from one local drive to another, or local to USB 2.0. I wasn't worried because I won't have to do it that often. I've also never tried to backup a TrueCrypt "File". Does it back up the entire file each time it changes, or would it back up only the changes made to the file?

Re:Pointsec (0)

Anonymous Coward | more than 5 years ago | (#26787215)

Using it here at my office on all mobile machines. The machines are usable even as the disk is being encrypted. I can use my personal flash drives with no issue and there is no in-use overhead that I experience; been using this device since before we introduced Pointsec. The only change was the Pointsec domain login during boot.

don't encrypt system files (2, Informative)

two basket skinner (1288246) | more than 5 years ago | (#26786995)

unless of course your requirements call for it. But your systems will run very slow if every time they have to boot they have to go thru the decrypt process. you should only need to encrypt your users' data. Hopefully, system data and user data are, at least, in different folders of the filesystem.

Re:don't encrypt system files (1)

Hatta (162192) | more than 5 years ago | (#26787265)

You'd be surprised. Modern CPUs can decrypt a file as fast as the disk can retrieve it. Even encrypting your swap imposes negligible performance penalties.

Key Management? (4, Insightful)

HockeyPuck (141947) | more than 5 years ago | (#26787079)

What's your key management strategy?

Re:Key Management? (1)

stnls_steel_mouse (210272) | more than 5 years ago | (#26787379)

The most important question so far!
In an enterprise situation, you have to have multiple sets of keys so a single person can't turn their devices into bricks by forgetting their passwords. There are lots of scenario's around this: Lock a user out of their ability to decrypt due to termination, but still allow admin access to resources.

Re:Key Management? (5, Funny)

MobyDisk (75490) | more than 5 years ago | (#26787395)

To empower individuals to utilize synergistic approaches to achieve goals and exceed expectations. :)

Re:Key Management? (1)

pyro_peter_911 (447333) | more than 5 years ago | (#26787707)

To empower individuals to utilize synergistic approaches to achieve goals and exceed expectations. :)

...on the Internet!

Peter

TrueCrypt and Mac (3, Informative)

Danathar (267989) | more than 5 years ago | (#26787107)

TrueCrypt does not support Pre-boot full disk encryption on the Mac. Only product I know of that does that right now is PGP Whole disk (latest version).

Re:TrueCrypt and Mac (1)

macshome (818789) | more than 5 years ago | (#26787273)

PointSec and WinMagic also support pre-boot on the Mac. WinMagic also supports booting from the Segate hardware encryption drives on a Mac.

They probably have to (2, Informative)

York the Mysterious (556824) | more than 5 years ago | (#26787155)

I see a lot of comments here suggesting that this is a bad idea, and to a certain extent it is, but chances are the institution has no say in this. After the wave of laptop thefts from government institutions, the office of inspector general requires all laptops (and portable media) be encrypted. A lot of agencies have stalled on this one. I've been involved in supporting laptops that are encrypted and go out to remote field cables (as remote as it gets). It's pain, but if you have to do it, TrueCrypt is not the way to go. You need something that ties into AD and something that can manage thousands of users. PGP Desktop.

Just don't do it. (4, Insightful)

SatanicPuppy (611928) | more than 5 years ago | (#26787161)

I see this all the time and it always makes me cringe.

If you treat all data the same, it is impossible to convince users to treat any data differently from any other, and they will all default to "Sloppy", and you won't care because you'll be certain that the encryption is going to save your ass.

It is a much much better idea to have a very distinct line between secure and insecure, so that people have that distinction hammered into their heads every time they touch secure data. Otherwise, someone is going to get sloppy with their private key, and you're going to get exploited and never see it coming.

Truecrypt, your our only hope (2, Informative)

Phoenixhawk (1188721) | more than 5 years ago | (#26787179)

I was screaming PGP until I got to the Open source part, removing funding from the equation Truecrypt is the only thing that will really do what your asking for. Its not bad & I like it, but its not PGP. And if you have been using something since the BBS days, your really not likely to change now so I am bias towards it. But from my limited (3 month) run with Truecrypt I had no problems and it was very stable, and little to no real performance difference from PGP's.

Here we use PGP Desktop (1)

rickb928 (945187) | more than 5 years ago | (#26787201)

Full Disk Encryption and of course encrypting our USB keys, backup DVDs, etc. Central key management, recovery, pretty well thought out.

I dunno if the 'free' version does all this. It's not as clever as TruCrypt, but it works.

ROT 26 (5, Funny)

spike2131 (468840) | more than 5 years ago | (#26787307)

Tell the suits you are implementing state-of-the art ROT-26 encryption on everything. Take a month off. Come back, pronounce it complete, and ask for a raise.

Re:ROT 26 (4, Funny)

Red Flayer (890720) | more than 5 years ago | (#26787755)

That'll never work, it's too obvious. Even the PHBs recognize that there are 26 letters in the alphabet... that number may raise questions.

I suggest obfuscating it slightly, pardon the 'irregularities' of my math :)

ROT-26 Swap 2*13 for 26.
ROT-(2*13) Swap Triskadeca for 13
ROT-(2*Triskadeca) Swap Duplo for 2*
ROT-Duplotriskadeca Add Duplotriskadeca to both sides
ROT = Duplotriskadeca Eliminate
0 = Dupliskadeca Let d = 4; add 1 to each side
1 + 0 = Dupliska(4 + 1)eca = Dupliskaeeca Reorder
1 = cakeisadupel We know that l looks like 1, so go ahead and eliminate.
0 = cake is a dupe

The cake statement is a false, a lie!

Hence we can call this DoublePortal encryption, while knowing we maintained mathematical purity for the name.

Use of this naming convention for ROT(26) will surely be more amenable to the PHBs.

Quit. Now. (2, Insightful)

swordgeek (112599) | more than 5 years ago | (#26787377)

OK, delay and stall as much as possible while you get your resume shopped around and get a new job lined up.

Then quit.

This kind of silliness is (a)stupid, (b)pointless, and (c)doomed. Anyone who claims otherwise is wrong. (And no, I'm not opinionated at all! :-)

Fundamentally, this will fail because it's a blanket policy on dissimilar environments: All hardware is not equal, and all software is not equal. Portable gear should NOT be treated the same as fixed equipment. Sensitive customer data should NOT be treated the same as OS files. Throwing everything together under one usage policy comes from not understanding ANY of computers, data, or security.

Get out. Run while you can!

User Error (1)

WiiVault (1039946) | more than 5 years ago | (#26787385)

I would strongly suggest you don't encrypt everything. Users forget passwords all the time, right now if they forget their workstation password you can reset it. What if they forget the password for their work related data? Its gone forever. If you do decide to ahead with it be VERY overt that people may lose their work/jobs if a password is forgotten.

Re:User Error (2, Informative)

Qzukk (229616) | more than 5 years ago | (#26787721)

Any sufficiently enterprisey encryption system would have a site-wide "master key" entrusted to whatever IT staff is responsible for rescuing people from forgetting their key.

Overhead and speed penalties (1)

TheMCP (121589) | more than 5 years ago | (#26787389)

i have a friend who works for a company that has an "encrypt everything" policy. He has a company laptop which is equipped with such encryption software. His wife has an identical laptop. Mr. X's laptop is a dog. Mrs. X's laptop is zippy.

Overhead and speed are the cost of the kind of encryption you're talking about. That's the price you're going to pay for doing what you're talking about. If you really want the encryption, learn to live with it. If you can't live with it, ditch the encrypt-everything policy and find a way to only encrypt what you have to.

I have a pdf detailing such a policy (2, Funny)

Anonymous Coward | more than 5 years ago | (#26787399)

But I encrypted it and lost the keys.

It was a perfect design and I am sad to have lost it.

"I don't know where my sensitive data is!" (4, Insightful)

AMuse (121806) | more than 5 years ago | (#26787519)

I see this directive a lot. It boils down to "We don't know where our sensitive data is, or don't trust our employees to keep it where it should be, so we're encrypting everything!".

Most of the time when I see this, it's because the person making the directive is responsible for security in some manner but has no experience with risk management and mitigation, so they go for the "all out, definitely safe!" shotgun solution. The problem is there's no such thing!

What risks are you actually attempting to mitigate through encrypting everything, and are you aware of the risks you are creating? These are questions the person who made the directive should be able to answer! For instance, if you are trying to mitigate the "PII/Lost Laptop" risk, why not implement drive encryption on laptops only, and buy USB sticks (such as Ironkey) which guarantee the encryption? If you're trying to stop a malicious insider, no amount of encryption will save you if they've been given the key.

Finally as others suggested, what's your key management and password management strategy? I -love- truecrypt but I wouldn't suggest it for a whole enterprise without being able to answer the question "How do I recover the key to this workstation when the employee dies unexpectedly of a heart attack?".

Best of luck in your endeavor but remember this rule: When it comes to implementing security, NEVER BE AFRAID TO ASK MORE QUESTIONS - especially about requirements.

For a simpler life, start with hardware (2, Insightful)

BenEnglishAtHome (449670) | more than 5 years ago | (#26787597)

I've used these products [eclypt.com] for a long time. (There are others; look around.) I suggest you phase 'em in over the next three years, by which time you'll have replaced everything. After all, you already have a budget for replacing all hardware over the next few years, right? Beyond that, remote, enterprise-quality tools for managing this hardware can be *very* pricey add-ons, but if you build your work processes right, there may be little or no need for them.

That just leaves writing to CDs/DVDs. There are open-source packages such as TrueCrypt. If you're already running WinZip, it'll do the same for removable media, allowing your users to set a specific password for that write then sneakernet the disk wherever it needs to go. If you want to force all writes to optical media to be encrypted, you'll need to look at something like GuardianEdge Removable for a commercial app or something inventive if you must go open-source.

One last thought: If your data is so important, so valuable, or so legally regulated that you must encrypt *everything*, then you have the money to go open-source, commercial, or whatever works. I see no justification in the submitted question for limiting the choice to open-source software. If you *have* to do this, you *have* to do it right, no matter the cost. If your big guys say they can't afford the cost, then they don't *have* to do it.

Fedora (1, Informative)

Anonymous Coward | more than 5 years ago | (#26787615)

I've been using Fedora since v8. Fedora 9 introduced the ability to encrypt the entire hard drive. I have a least three servers (Apache, Tomcat, and MySQL) running on my encrypted hard drive and the speed in incredible. Absolutely no issues with speed or problems with start-up or shut-down. Setup is as easy as checking a check box during the install. And logging in just requires a password during the Grub boot cycle to unlock the encrypted hard drive.

Description from Fedora:
"Support the use of encrypted filesystems for anything other than /boot using cryptsetup and LUKS. This includes install time creation/configuration, as well as integrated support in mkinitrd and initscripts (others?). Currently we are only pursuing support for encrypted devices using cryptsetup/LUKS."

Further Reading:

http://magazine.redhat.com/2007/01/18/disk-encryption-in-fedora-past-present-and-future/

http://fedoraproject.org/wiki/Releases/FeatureEncryptedFilesystems

by Anonymous Coward

Why? (1)

peacefinder (469349) | more than 5 years ago | (#26787629)

"My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc"

It may be too late for this, but... why? What problems is the policy intended to solve? Is there a less-intrusive way to accomplish the same goals? (For instance, centralizing data stores onto servers and making computing devices effectively thin clients.) Do the key-[loss|management|distribution|revocation] issues result in a better security model than you currently have? Is the threat of technical failure leading to denial of service a problem?

(For your org, these issues have presumably already been addressed. But others here considering something similar should be sure to ask those questions.)

Wait... don't do it now. (2, Insightful)

Jane Q. Public (1010737) | more than 5 years ago | (#26787633)

I second the opinion of the first poster who recommended you wait, for several reasons.

First, most methods of encryption are a pain in the butt. If you want to encrypt only some data, then yes I would say Truecrypt. But then it has to be manually un-encrypted before use.

If you want to encrypt whole drives, your network, everything, and have it work transparently, you are in for a headache combined with a nightmare. Headache because getting it set up and working is a major project fraught with problems. Nightmare because you will lose whole drives worth of data when something goes wrong, unless you have a very serious, robust, and reliable backup scheme that you use often.

However, drive manufacturers will be coming out soon with new drives that incorporate DES encryption via hardware. This eliminates the delays and problems with software encryption, and will go a very long way toward making whole-network encryption a lot more practical.

Re:Wait... don't do it now. (1)

argent (18001) | more than 5 years ago | (#26787689)

How does having the encryption in the drive rather than a driver help?

* the processor in the driver is slower than the processor in the computer.
* anything that will trash an encrypted partition will trash it whether the encryption is in hardware or software.

Now you may be arguing that firmware is inherently more reliable than the OS. That's a viable argument, I suppose, but I've worked on too much firmware to believe it.

Step 1: Order lots of Post-it notes... (1)

mkcmkc (197982) | more than 5 years ago | (#26787699)

...because everyone's going to end up writing their passwords on them and sticking them on the relevant hardware.

Step 2: Submit this to Scott Adams--he'll probably have fun with it.

Step 3: Investigate performance of various solutions. I hear good things about this ROT13...

Yellow sticky notes (2, Interesting)

Moof123 (1292134) | more than 5 years ago | (#26787719)

The best encryption/security is most easily foiled by humans:

1. I've seen many username/passwords posted with sticky notes on folks' monitors. Admins are partially to blame by imposing well intentioned, but impractical password rules, resulting in the necessity of users to write that crap down or end up perpetually calling the already overextended IT help desk and being shutdown for hours at a shot to figure out passwords.

2. I've seen combos to classified safes written in pencil behind the "Locked"/"Open" magnetic sticker (well, the digits were swapped, but c'mon!).

3. I've had numerous combos given to me for vaults and safes containing secret level materials that ALL followed a retardly simple pattern, making an 8 digit combo lock (4 two digit numbers) effectively a 2 digit one (XY-YX-XY-00). While convenient, it is stupid, and possibly illegal (not sure how the DOD feels about security folks intentionally dumbing down the security they mandate?).

4. I've had to have our uncleared maintenance dude break into the vault when our crap lock broke AGAIN. Acoustic ceiling tiles really should not be the last line of defense for secret files... We regularly had problems with the combo lock on that door as well, a modest shove would open it, on those occasions it actually latched.

5. I've had the security chick for a vault blow me off after I carefully explained how the combo lock on the vault was busted. It took two more attempts, and several days to get someone else to demand it get fixed (she and I had a mutual dislike, I wonder why...). If someone just entered the vault you could turn the knob and get in without the combo, the lock was not properly resetting.

6. I've seen vaults left with only the cheesy punch code combo lock securing things (nobody in the vault) for hours at a shot on weekends, while the dude responsible was off at an extended lunch. This was SOP. Prior jobs demanded vaults always either have a cleared and authorized individual for that vault inside, or that the real locks be spun. Even for bathroom breaks.

Good looking security with lax culture is worse than weak security with a vigilant user base.

Macs and encryption (1)

v1 (525388) | more than 5 years ago | (#26787787)

OS X has built-in support for user home folder encryption. It doesn't support applications and other places outside the home folder automatically though. But unlike windows, 99.9% of user data is in their home folder.

The entire home folder is a giant sparse disk image and grows as needed. There is a performance hit but it's not a big one. The only complaint we see is sometimes when you logout it will say "your home folder is using more space than needed, do you want to compress now?" That process can take anywhere from a few minutes to an hour depending on how much you deleted that session. Most users can ignore that unless space on the hard drive is running low because they'll just reuse that space during the next session.

Performance is better than whole-disk encryption because the apps and OS are not encrypted.

For mobile drives (like my flash drive) I have an encrypted disk image on there for sensitive information. When plugged into my computer, the password is in my keychain and it unlocks automatically. When in another machine I have to supply the password. This is secure in case my drive is lost or stolen, but isn't too inconvenient and requires no special software or anything to install on any machine I plug it into. OS X has built-in support for creation and use of encrypted disk images.

The system also has you create a master password when making the first encrypted account, and that password can be used to change the user's password if they forget it, which should help your IT department. Normal accounts can be easily converted to encrypted (or back again) with a few button clicks so transition is painless.

Everything?!? (1)

Locke2005 (849178) | more than 5 years ago | (#26787791)

You do realize that encrypting the OS files that came with the computer really doesn't buy you much, don't you? I would think you would want separate data and executable partitions, and only encrypt the data. (Of course, you could put proprietary executables in the data partition.)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...