RE: Whole disk encryption

Mon, 28 Aug 2006 07:22:52 -0700 


-----Original Message-----
From: Erik Anderson [mailto:[EMAIL PROTECTED] 
Sent: Thursday, August 24, 2006 12:07 PM
To: [email protected]
Subject: RE: Whole disk encryption

> -----Original Message-----
> From: Sarah [mailto:[EMAIL PROTECTED]
> Sent: Thursday, August 24, 2006 11:48 AM
> To: [email protected]
> Subject: Whole disk encryption
> 
> 
> 
> What is the consensus of the group on the use of whole disk encryption
in
> an enterprise environment?

>Why? You only need to protect the data not the whole OS.  It causes too
>many problems.  I don't recommend creating a headache for yourself when
you >only need to protect some data.

>I recommend creating an encrypted partition and mounting an encrypted
file
>system on that partition.

>In addition there are plenty of 3rd party software packages out there
that
>have encrypted filter drivers or will allow you to create an encrypted
>virtual disk.  You use that disk just as any secondary disk.  The
>encryption becomes transparent to you.


The problem comes when data that would be encrypted in a folder or
partition is opened and used in OS swap space or other temporary
containers. You can't tell how long that data, now decrypted, will
remain accessible. I'll let you all decide how simple or hard it would
be to access this data. I know I've been surprised how much you can pull
back with forensic tools.

Each system (full-disk and file/folder-level) have their bonuses and
drawbacks but if people are truly concerned about encrypting their data
they should consider full-disk encryption. If simple static storage of
"finished" data is all that is required then perhaps file/folder
encryption is enough but if you have users that may not save things in
the correct, encrypted folder or would be required to encrypt the
document themselves perhaps full disk is better to eliminate that
variable.

>Make sure to backup the keys somewhere or you will permanently loose
>everything if something happens to the key.

Amen brother. Many of the full-disk systems I've been reviewing have a
centralized management console that would allow an admin to either
recreate the key or access the encrypted system with an "admin key" to
help alleviate the "I forgot my password" issues.

Samuel Mason, CISSP
Data Security Specialist
Montana State Fund



---------------------------------------------------------------------------
---------------------------------------------------------------------------























					Reply via email to