Laptop encryption

jamesd

A site I manage have 6 or 7 laptops (xp and vista) and have some senstive data on them and want to encrypt the drives on the laptops.
These laptops are standalone and have no connection to any server - any idea's on a good encryption software?
I have looked at safeboot but from what I read it needs a server.

James

aidan_walsh

Would people here recommend PGP Whole Disk Encryption?

Angelo Pascal

i'd say use truecrypt mainly because its open source (less likelyhood of backdoor) and free - but i've no idea what the best solution is.

trout

Truecrypt is excellent ... but it may not be suitable for 'hands-off' users, as it is quite granular and has many configuration options.

Ideally, the laptop users will not have Admin access.
That way, you (as Admin) could install and configure Truecrypt before handing the laptops over.

You should look at using keyfiles as well as passwords.

I also would suggest making rescue disks for each laptop, and storing them securely away from the laptops.

StickyMcGinty

Angelo Pascal wrote: »

i'd say use truecrypt mainly because its open source (less likelyhood of backdoor) and free - but i've no idea what the best solution is.

yea I've just finished encrypting our laptops with Truecrypt, its a really excellent tool.

My major concern was that there would be an overhead encrypting on the fly, but to be honest I havnt noticed it one bit (except it takes a little longer to come out of hibernation)

trout wrote:

I also would suggest making rescue disks for each laptop, and storing them securely away from the laptops.

this is essential... i would also recommend storing the passwords in a encrypted master index if using truecrypt, as the rescue disk wont bypass the password it's just a failsafe in case the boot sector gets corrupted.

_CreeD_

+1 for Truecrypt. Brilliant product.

meglome

I had the same question with XP and Vista, what's the best way to secure the data. It's looks like so far Truecrypt is the way to go.

How long does it take to setup? Or is that purely dependant on the amount of files on the laptop etc?

trout

The install is quick enough ... less than 5 mins I think, and most of that is given over to 'randomising' a seed key by moving the mouse.

Overall setup time is dependant on several factors ... not only the volume of data, but the type of encryption chosen & the hard disk / controller / cache performance.

Once installed, the on-the-fly encryption and decryption will be all but transparent to most users. If the laptops are of a half-decent spec, you probably won't notice any significant performance hit in normal usage.

meglome

trout wrote: »

Overall setup time is dependant on several factors ... not only the volume of data, but the type of encryption chosen & the hard disk / controller / cache performance.

I was planning to encrypt the entire system partition. Did you do this? Just wondering how long it might have taken you, if you did.

trout

meglome wrote: »

I was planning to encrypt the entire system partition. Did you do this? Just wondering how long it might have taken you, if you did.

I setup a 60 Gb virtual disk - overall install took no more than 15 minutes tops - and that was with me checking & double checking the choices. The users unlock the crypt before use and it encrypts & decrypts on the fly ... which is invisible to most of the users. This has no impact on the applications they run, mostly home-grown VBA apps with MS Office docs as front ends/templates. There is a BIOS password as well, and a commercial disk encryption product. The additional layer of encryption was required for a particularly sensitive set of applications/customers - as the current group policy allows OS and filesystem access to a range of laptop users. One set of users wanted/needed protection for a subset of their data from the organisation as a whole, primarily when they are on the road and before they can dock with the LAN to upload their data.

I carved the hard drive into 3 partitions - one for Windows, one for core applications and one for data. I only encrypted on the data partition, for convenience. The OS is locked down to an extent with group policies, and I didn't want to mess with the existing policies & patching cycle.

You might see a performance hit if you encrypt all partitions/drives on the system ... depending on your hardware. I'm thinking in terms of caches, swapfiles and paging files, which might be variable in size and accessed frequently.

Can you take one of the machines and spend some time experimenting ? It might appear a little daunting at first, given the range of config options, but you'll get the hang of it very quickly.

meglome

Yeah I'll do some experimenting and thanks.

trout

slashdot piece on disk encryption ... mentions PGP WDE and Truecrypt

-> http://ask.slashdot.org/article.pl?sid=08/10/30/0021245

MiCr0

we use this and its very good
http://www.checkpoint.com/products/datasecurity/pc/index.html
can even be unlocked over the phone

dade

trout wrote: »

I also would suggest making rescue disks for each laptop, and storing them securely away from the laptops.

yep use it too, we had a rescue Cd for each and also ISOs just in case

meglome

How much do you reckon it would cost to get someone to set this up on laptops? We could do it ourselves but would be interested to know if anyone else is offering the service.

Capt'n Midnight

starting from the lowest level

you can also setup passwords in the laptop BIOS for the machine and the hard drive. nowhere near as secure as drive encryption but quick and easy and you could recover the data by getting the guys in clean rooms to read the platters.
if the startup and hdd passwords are the same you only need to enter it once on startup. setting it to only kick in on a cold boot makes it less secure but less intrusive and makes the laptop less valuable to a thief

then truecrypt etc for the whole drive

if you are running windows you can also use efs to further encrypt user files from each other. you users to files / folders one by one , you can't do by groups . if you reset the users password they loose the ability to decrypt the files unless the key was backed up earlier


for linux users encfs is another easy way of encrypting files / folders with a password

good backups and having the users copy the data from the laptop to a secure server is important because apart from putting an ATA password on the HDD data recovery is impossible for encrypted data if you have either lost the password and/or cert and/or the file is partially corrupted

Random

Intested in this myself. You guys mention not noticing it hardly on reasonable spec laptops.

What about the new Dell Inspiron Mini 9s ? Would they have enough boot to manage this while not hogging the whole system or would it be pretty noticable on that ?

Thanks

meglome

meglome wrote: »

How much do you reckon it would cost to get someone to set this up on laptops? We could do it ourselves but would be interested to know if anyone else is offering the service.

Anyone?

StickyMcGinty

meglome wrote: »

Anyone?

Depends on the number of machines and the size of the HDD in each i'd imagine (greater size = greater time invested in the process)

trout

meglome wrote: »

How much do you reckon it would cost to get someone to set this up on laptops? We could do it ourselves but would be interested to know if anyone else is offering the service.

meglome wrote: »

Anyone?

I guess there are IT companies with a security focus who would take this on ... at a price.

I wouldn't be able to name or recommend any myself.

Personally, I think this is best suited to an in-house solution, given the risk of losing access to all the encrypted data. Not so much for the initial setup, but for the ongoing support.

It all depends on the volumes of machines and your particular requirements for encryption ... and the going rates for the firms involved.

Call me cynical, but I would expect commercial interests to play here as well ... I can't see an IT / Security firm recommending an open source solution to you, if they are in the business of selling/installing/supporting commercial products. Maybe I'm wrong ... but it would be interesting to find out how you get on.

Good luck

Screaming Monkey

.also being old and cynical, i can't see any IT security company putting forward truecrypt as a prefered solution.

The strength of the commerical encryption products is the "vendor support", functionality and the managability especially for a large number of encrypted laptops. Your looking at 3 big products really - Safeboot, Utimaco and Pointsec, have evaluated most of them and there pretty much all the same.

SM

meglome

Thanks everyone.

meglome

Some questions for you guys...

If I want to protect the following things how do you suggest the best way to do it with Truecrypt... So the generic data files (straightforward enough), any email files and passwords saved into browsers. I don't really want to encrypt the entire drive.

fergalr

any email files and passwords saved into browsers.

This is browser specific.
I know with firefox, you have a profile folder, where everything (afaik) goes, the location of which you can specify. You can specify this to be on a certain virtual truecrypt drive, and then mount the drive before running your browser.
I have a setup like that, for thunderbird, to keep my e-mail safe from laptop theft.

Thing is, with any setup like this, you have to be careful to consider things like swap space; or simpler things like users temporarily saving files onto the unencrypted portions of the hard disk. It's very difficult to get it right with a partial disk solution (although some things, such as turning off virtual memory, will help mitigate certain risks). Guess it depends on how sensitive the information is.

But whole disk encryption is really the way to go, if at all possible.

The additional layer of encryption was required for a particularly sensitive set of applications/customers - as the current group policy allows OS and filesystem access to a range of laptop users. One set of users wanted/needed protection for a subset of their data from the organisation as a whole, primarily when they are on the road and before they can dock with the LAN to upload their data.

I carved the hard drive into 3 partitions - one for Windows, one for core applications and one for data. I only encrypted on the data partition, for convenience. The OS is locked down to an extent with group policies, and I didn't want to mess with the existing policies & patching cycle.

Trout, obviously I don't know specifics of your setup - but you're not saying that the encryption is used to protect some of the users of the computer, from other users of the computer who have write access to the OS?

Even if they don't have write access, due to windows restrictions (think you said they don't have admin access?), but have physical access to the laptop, and ability to mount the OS - could they subvert the 'internal' cryptosystem? (Eg, remove hdd, mount OS partition, install keylogger onto OS, change encryption binaries etc). Guess that's taking it to extremes, but multiple nested layers of encryption is already pretty paranoid! Presume this has all being considered, and appropriate judgment calls made, just curious.

trout

fergalr wrote: »

Trout, obviously I don't know specifics of your setup - but you're not saying that the encryption is used to protect some of the users of the computer, from other users of the computer who have write access to the OS?

Even if they don't have write access, due to windows restrictions (think you said they don't have admin access?), but have physical access to the laptop, and ability to mount the OS - could they subvert the 'internal' cryptosystem? (Eg, remove hdd, mount OS partition, install keylogger onto OS, change encryption binaries etc). Guess that's taking it to extremes, but multiple nested layers of encryption is already pretty paranoid! Presume this has all being considered, and appropriate judgment calls made, just curious.

At first glance it may appear pretty paranoid ... however the customer data in question is deemed sensitive and should be restricted to a small group of mobile users.

The additional layer of encrytion was deemed necessary by the business to further protect the data in the event of laptop theft, AND from the threat of a skilled / malicious user within the organisation, but outside of the specific team.

Trust me ... if you were one of the customers involved, you'd be glad your data is protected in this way ... in storage and in transit.

fergalr

Trust me ... if you were one of the customers involved, you'd be glad your data is protected in this way ... in storage and in transit.

Good to hear theres at least some organisations taking security seriously!
If I've understood it properly, though, I don't see how you defend against the threat I described?

Where a skilled malicious user with physical access to the machine, and access to the OS in decrypted form, takes the HDD from the machine, mounts the OS, changes the encryption binaries to capture the password, replaces everything, lets the laptop be used by the other users with access to the privileged data (their password/keys being captured by the malicious binaries or OS), recovers the laptop at a later date, repeats the process, decrypts the sensitive data, and makes off with it.

It's possible I've misinterpreted your scenario, but I don't see how you can give physical access to a potentially malicious user, who has access to the same OS partition, that's also used by the other user to mount the sensitive data, and expect the second data partition to go unexploited?

Edit:
To be clear, this is the bit that was confusing me:

One set of users wanted/needed protection for a subset of their data from the organisation as a whole, primarily when they are on the road and before they can dock with the LAN to upload their data.
I carved the hard drive into 3 partitions - one for Windows, one for core applications and one for data. I only encrypted on the data partition, for convenience. The OS is locked down to an extent with group policies, and I didn't want to mess with the existing policies & patching cycle.

because the OS isn't locked down from the untrusted people in the organisation.

I guess the scenario where a malicious person within the organisation gets intermittent access to the laptop to subvert binaries is thought unlikely (ie, the laptops are physically secured)?

Re-reading your first post it doesn't sound exactly like I thought; I guess a small group of users that let the organisation as a whole administer their machines, or have access to their OS partitions are always going to be at risk of some attacks like that, even if they have their data encrypted.

trout

fergalr wrote: »

Good to hear theres at least some organisations taking security seriously!
If I've understood it properly, though, I don't see how you defend against the threat I described?

Where a skilled malicious user with physical access to the machine, and access to the OS in decrypted form, takes the HDD from the machine, mounts the OS, changes the encryption binaries to capture the password, replaces everything, lets the laptop be used by the other users with access to the privileged data (their password/keys being captured by the malicious binaries or OS), recovers the laptop at a later date, repeats the process, decrypts the sensitive data, and makes off with it.

It's possible I've misinterpreted your scenario, but I don't see how you can give physical access to a potentially malicious user, who has access to the same OS partition, that's also used by the other user to mount the sensitive data, and expect the second data partition to go unexploited?

We try to enforce the concept of Separation of Duties.

Whole disk encryption is applied by the OS team who provision and build the laptops. User accounts for the applications are provisioned by another team. The additional encryption is installed and controlled by a local IT unit who themselves don't have access to the base OS, WDE or user directories.

Members of the OS support teams may have access, or the ability to elevate their access to the OS partition, and conceivably the application partition which is why the sensitive data is on it's own dedicated partition. Any elevated access would be logged at both the OS level, and the application set.

I take your point - no cryptosystem can ever be completely secure against a skilled and malicious admin user with time and motivation to brute force.

Risks cannot be eliminated entirely, just reduced. That's what we've tried to do.

fergalr

Risks cannot be eliminated entirely, just reduced.

Of course; that's how security goes in the real world.

That's what we've tried to do.

Have to say, I'm impressed with your response, few organisations take security that seriously; fair dues.

Tinytony

Sorry for pulling up an old thread but it has most of the info I was looking for.

I'm going to install encryption of some level on about 30 laptops. From the research I've been doing truecrypt seems to be the way to go (i.e. free!).

I am just wondering whether to go for the full disk encryption or creating an encrypted container to be used when transporting files between client sites and the server.

My main fear of the encrypted container is that you are still relying on the users themselves to actually place the files within the container so you have no real guarantee that the files being transported safe.

Would there be any reason not to go for full disk encryption? What are the major downsides to it? I have previously worked on a safeboot deployment and we ended up with a few dead hard drives caused by the encryption process, so obviously I could do without the head ache of that at the moment.

Your thoughts would be much appreciated.

Capt'n Midnight

Tinytony wrote: »

My main fear of the encrypted container is that you are still relying on the users themselves to actually place the files within the container so you have no real guarantee that the files being transported safe.

you could also encrypt the pagefile and system temp folder and user temp folder, browser cache etc. . but even then you would still be exposed to retreving data from other places possibly from deleted file space too.

The main problem with whole drive encryption is that you need good backups because you can't recover data from the system. If it doesn't boot up by itself you should be able to copy data off using a bootable usb stick with truecrypt and the key, and wipe and start again.

Tinytony

Capt'n Midnight wrote: »

you could also encrypt the pagefile and system temp folder and user temp folder, browser cache etc. . but even then you would still be exposed to retreving data from other places possibly from deleted file space too.

The main problem with whole drive encryption is that you need good backups because you can't recover data from the system. If it doesn't boot up by itself you should be able to copy data off using a bootable usb stick with truecrypt and the key, and wipe and start again.

I would also be a bit worried by the fact that if the users forgets their truecrypt password while out on site then they have no access to the machine, whereas if it's just a container then at least they could still use other applications etc until I was able to provide them with the password.

Tinytony

Sorry to drag this up again.

Am I right in saying that if a user forgets there password for Truecrypt then they are completely locked out of that machine forever? Is there any method of recovery or an over riding admin password that can be used?

I just don't think I could trust these users to remember their passwords and I obviously don't want to record their passwords on a file.

Martyr

in the FAQ it says you'd have to crack the password.

you could put the passwords in a file, encrypt it and store on cd-rom..place in a book shelf or somewhere it won't get lost or damaged, just incase you need to recover any data.

Tinytony

Martyr wrote: »

in the FAQ it says you'd have to crack the password.

you could put the passwords in a file, encrypt it and store on cd-rom..place in a book shelf or somewhere it won't get lost or damaged, just incase you need to recover any data.

Ya that is what I was thinking of doing but I wasn't entirely happy with the idea the passwords all being written down together.

With Safeboot you could have a master account that could access any machine, without needing to know the individual user passwords. But with true crypt being a free software I suppose you can't really expect to have the same level of "enterprise" features available.

Martyr

With Safeboot you could have a master account that could access any machine, without needing to know the individual user passwords. But with true crypt being a free software I suppose you can't really expect to have the same level of "enterprise" features available.

that definitely would be useful, if you made a donation/request they might implement such a feature

actually, there appears to be some kind of rescue disk, would that work?

http://www.truecrypt.org/docs/rescue-disk

Tinytony

Martyr wrote: »

that definitely would be useful, if you made a donation/request they might implement such a feature

actually, there appears to be some kind of rescue disk, would that work?

http://www.truecrypt.org/docs/rescue-disk

Na, I was just testing that there. The rescue disk is only in the event the Boot Loader gets corrupted or repairing the master key data, but again you need to have the correct password to boot up after the repair.

I think I might just go with the Encrypted Container option, make it IT policy that any company or client data must be stored within this container and leave the onus back on the user to use the encryption software that I so kindly made available to them.

It's far from ideal but at least I can say I made the effort to provide them with a secure encrypted way of transporting client files.

fergalr

Tinytony wrote: »

Na, I was just testing that there. The rescue disk is only in the event the Boot Loader gets corrupted or repairing the master key data, but again you need to have the correct password to boot up after the repair.

I think I might just go with the Encrypted Container option, make it IT policy that any company or client data must be stored within this container and leave the onus back on the user to use the encryption software that I so kindly made available to them.

Users won't do that. There will be programs storing unencrypted temporary copies of important documents outside the container, unless users are extremely careful. Also, users will accidentally leave important documents on the desktop. It's still better than nothing, but better off with whole disk encryption.
If you are critically concerned that they won't be able to use a computer at all if they use their passwords, maybe give them some sort of bootable liveCD or usb key. Or just make them remember their password - if they are entering it in every day, they won't forget it.

Tinytony wrote: »

It's far from ideal but at least I can say I made the effort to provide them with a secure encrypted way of transporting client files.

What's wrong with storing the passwords encrypted at some sort of a secure location? How is this any different than having a rescue/recovery disk at a secure location? In either case you have to trust the person that has the passwords or the rescue disk.