Computer Encryption

RangeR

Everyone knows that laptops, usb drives etc should be encrypted. That's just standard practice unless you work in the HSE!!!!???? :eek:

Anywho, would it be considered "overboard" to encrypt desktops. They aren't generally moveable but they can be stolen / removed from premises.

My disk crypto of choice is obviously TrueCrypt.

Interested in peoples thoughts.

KeRbDoG

Desktops can be stolen should people want to, easy to remove a HDD from an unlocked PC and walk out of an office with it should you really be after a scandal of some sort
They should be encrypted, if your enforcing it on laptops they should fall under the same requirements. Should be considered the standard requirements for machines which in theory could hold confidential private information which is covered by data protection. To add, the use of external media (USB sticks etc.) should be banned within organisations which deal with confidential data.

RangeR

Yup, it sounds downright obvious when you put it that way
Already planned on banning USB anythings, both in policy and physically enforced.

I assume this enforcement doesn't fall onto servers? They are relatively secure, being locked away in a limited access room.

BostonB

In one place I know of they had the server room propped open as they were doing work and in and out all the time. At some point someone walked in and pulled an email server out of the rack and disappeared with it. All very suspicious at the time. So yes it can happen.

The problem with encrypted disks, is that if theres a problem with them you often lose the whole volume. So keeping backups and checking they are ok becomes more important. Also you don't want only one person to have the passwords in case something happens to them. Might be wise to keep an unencrypted copy in a secure location. And you might want to keep some stuff on read only media.

RangeR

BostonB wrote: »

In one place I know of they had the server room propped open as they were doing work and in and out all the time. At some point someone walked in and pulled an email server out of the rack and disappeared with it. All very suspicious at the time. So yes it can happen.

The problem with encrypted disks, is that if theres a problem with them you often lose the whole volume. So keeping backups and checking they are ok becomes more important. Also you don't want only one person to have the passwords in case something happens to them. Might be wise to keep an unencrypted copy in a secure location. And you might want to keep some stuff on read only media.

Yup. Fair points. We keep all passwords in database. Each password has a random salt and is AES encrypted. The application that decrypts and presents the password on screen is in a TrueCrypt container. 5 trusted people in the company have the 20+ char PassPhrase for that container.

We also have a DR offsite with realtime replication of network data. I might look at encrypting those drives as they are in a shared location.

My "fear" of encrypting the servers is that if I ever need to reboot one, I'll have to enter pre-boot auth details everytime. It may not always be possible to be physically at the server.

BostonB

Even with workstations, that you might remote desktop into, encrypting them might cause problems is they are restarted though a power outage and you are not near them. I don't know if Microsoft's inbuilt encryption works better in that regard.

http://social.technet.microsoft.com/Forums/en-US/W8ITProPreRel/thread/088cfa1e-02fb-4330-9d48-0923b78829d8/

LoLth

the main requirement for encryption of hard drives and USB keys is the portability of the device. laptops and USB keys / external hard drives can be carried outside of the office where office security measures no longer apply.

Every now and then you do hear about cases where the data loss occurs from inside the office - laptops being lifted by thieves (years ago, some company in Ireland was burgled on a friday night... thieves broke in and took the CPUs out of the PCs, no-one knew anything about it until monday when they wouldnt start... but then, CPUs were gold dust). Thing is, its very much dependant on the situation.

If members of the public are around the PCs then yes, they should be encrypted. If they are not, and the company has any sort of security policy (visitor sign in, a lock on the door, swipe cards etc) then desktops should be ok without encryption.

Encrypting servers: generally the server room is the most secure room in an organisation. Door propped open for work? yes it happens but it should be known about and monitored (as to how an EMAIL server got unplugged and carried out without someone getting an alert or noticing that a server was down....) Again its situational and it very much depends on the content being protected. You dont want to encrypt a high traffic DB server for example as the encryption overhead will slow performance noticeably.

As for encrypting causing problems with reboot, why encrypt the entire drive? Just make a truecrypt container and mount it for the shares (you can automount a truecrypt volume and prompt for password by using the load favourites settings) yes, your encrypted share will be inaccessible until you type in the password but at least the server will boot and you can enter the password over a secure remote connection.

backups of encrypted volumes: if you backup an encrypted volume you'll have to back up the entire volume, not just what's used, unless you extract the files from the volume while its mounted and then re-encrypt them on the backup volume, or just backup from mounted volume and not bother with encrypting the backup.

Full disk encryption does indeed mean if something goes wrong its often easier just to wipe and reinstall. a 160gb hard drive can take up to 3 days to decrypt so you can fix a bad sector or corrupt file (if it actually decrypts successfully) then you work on it and re-encrypt - wipe and reinstall might be better. Workstations tend to have bigger hard drives and servers bigger again... I dont fancy waiting for a 5TB raid array to decrypt before I can start working on the problem.

rather than looking at encrypting everything , I'd look at solutions for data classification. truely sensitive documents should be marked as such and rules should be in place through whatever software that they cannot be copied or moved or saved to anywhere but a secure location - like an encrypted volume on a server share - then again, there's no defense against a camera phone - which reminds me, make things too difficult to get at for the users becuase of proper security and you'll just end up making it more reasonable, in their minds, to keep copies of data on areas that aren't secure so they can access it when they want it (anyone else heard the complaints about the network being slow and then finding out that the complaining person and everyone else in the office are pulling down gigs of files to work on, all at the same time? or that their computer is running slow and when you look it only has 1% disk space remaining because once they are finished with a file they like to keep a copy, just in case and they have a snapshot of the entire fileshare in their my documents folder? or their email has disappeared when they get their new workstation after a dead hard drive in the old one, did they archive? "of course! I kept an archive in a folder on my desktop because the network only lets me save 500mb worth of email and the funny pictures of my cats take up that amount of space alone").

no experience of how MS encryption (bitlocker??) works to be honest but I've heard good things about it.

oh, and some touch based devices have issues with full disk encryption, they look for the password before initialising the virtual keyboard....

Rgb.ie

RangeR wrote: »

Yup. Fair points. We keep all passwords in database. Each password has a random salt and is AES encrypted. The application that decrypts and presents the password on screen is in a TrueCrypt container. 5 trusted people in the company have the 20+ char PassPhrase for that container.

We also have a DR offsite with realtime replication of network data. I might look at encrypting those drives as they are in a shared location.

My "fear" of encrypting the servers is that if I ever need to reboot one, I'll have to enter pre-boot auth details everytime. It may not always be possible to be physically at the server.

An IP KVM might get around this issue. ( has for ourselves )

RangeR

Rgb.ie wrote: »

An IP KVM might get around this issue. ( has for ourselves )

Yup. Fair point. I believe that some our servers have that built in [DELL] but I haven't investigated at all. Just going from POST messages, from memory.

RangeR

LoLth wrote: »

no experience of how MS encryption (bitlocker??) works to be honest but I've heard good things about it.

I've heard bad things about BitLocker with or without TPM. I wouldn't say it's totally useless. It does encrypt the data. But it doesn't exactley keep your key safe. Having said that, the last time I visited BitLocker was around the time of Win7 release.

BostonB

BitLocker doesn't get around the boot issue anyway, which would be the only reason to use it over something like Truecrypt IMO. Its going to come down which is more important needing to remote into a server or accepting the limitation of physical access. Also do you really need to encrypt it at all. You might just be ok encrypting some disks or file containers on a another machine which can by scheduled mounted/dismounted by a job. There probably more specialized forums where they deal specifically with these kinda issues.

Khannie

BostonB wrote: »

Even with workstations, that you might remote desktop into, encrypting them might cause problems is they are restarted though a power outage and you are not near them.

The workaround that I heard for this (in Linux at least) was to have the initrd contain an ssh daemon, which could only be connected to by key exchange. You could then feed the box the hdd decryption key over ssh. It doesn't overcome the chicken and egg situation of someone having physical access though (i.e. someone with physical access could alter your initrd to put in their own nasty ssh daemon which steals your hdd decryption key and continues the boot. You would be none the wiser without additional checks in place.).

A management interface with hardware that allows you to enter a decryption passphrase over a secure channel is the only real solution for secure, remote power on and that's generally very pricey.

Capt'n Midnight

If you do this
http://hackaday.com/2012/06/29/turning-an-arduino-into-a-usb-keyboard/

slap a network shield on it and now you've got IP access to a keyboard - of sorts - if you can do the programming