Full Disk Encryption Survey

Discussion in 'Computer Security' started by Saqib Ali, Jul 9, 2007.

  1. Saqib Ali

    Saqib Ali Guest

    Please vote for you favorite Full Disk Encryption FDE solution at the
    following URL:
    http://security-basics.blogspot.com/2007/07/full-disk-encryption-survey.html
    or
    http://tinyurl.com/2oy7k4


    Please consider the following when voting:
    1. Easy of use
    2. Transparency to the user
    3. Directory integration (e.g. integration with Active Directory or
    LDAP)
    4. Key Management (Backup, recovery, archiving)
    5. Password recovery
    6. Cost
    7. User Interface
    8. Reliability
    9. Performance
    10. Overall Functionality
    Saqib Ali, Jul 9, 2007
    #1
    1. Advertising

  2. Saqib Ali

    Vanguard Guest

    "Saqib Ali" wrote in message
    news:...
    > Please vote for you favorite Full Disk Encryption FDE solution at the
    > following URL:
    > http://security-basics.blogspot.com/2007/07/full-disk-encryption-survey.html
    > or
    > http://tinyurl.com/2oy7k4



    In order for any product to be favorite requires that user also report
    what OTHER similar products they trialed or used. A user that has only
    used one FDE product doesn't have a favorite. I have one sister, so the
    joke goes "you're my favorite sister". You do not let the user report
    what other FDE products they have used or how many total FDE products
    they have used (which must be greater than one). The survey is
    worthless without this info.
    Vanguard, Jul 9, 2007
    #2
    1. Advertising

  3. Saqib Ali

    benb Guest

    "Vanguard" <> wrote in message
    news:...
    > "Saqib Ali" wrote in message
    > news:...
    >> Please vote for you favorite Full Disk Encryption FDE solution at the
    >> following URL:
    >> http://security-basics.blogspot.com/2007/07/full-disk-encryption-survey.html
    >> or
    >> http://tinyurl.com/2oy7k4

    >
    >
    > In order for any product to be favorite requires that user also report
    > what OTHER similar products they trialed or used. A user that has only
    > used one FDE product doesn't have a favorite. I have one sister, so the
    > joke goes "you're my favorite sister". You do not let the user report
    > what other FDE products they have used or how many total FDE products they
    > have used (which must be greater than one). The survey is worthless
    > without this info.
    >


    I'll be keeping an eye on this survey, as I'm currently researching an FDE
    solutions for about 20 of our users laptops. So far I've downloaded and
    tested PGP WDE, next is CompuSec, I have a trial of SafeGuard Easy on order
    (hopefully arrive in the post next week), and I'm arranging a conference
    call with someone from PointSec to setup a trial of that product.

    If anyone has any experience with any of the or other products, I'd be
    interested in your views. Our requirements are:
    Full Disk Encryption
    Pre Boot Authentication
    Activate Directory Integration
    Easy Deployment (MSI/group policy)
    Automated Encryption (no user intervention)

    Cheers

    Ben
    benb, Jul 12, 2007
    #3
  4. Saqib Ali

    Sebastian G. Guest

    benb wrote:


    > I'll be keeping an eye on this survey, as I'm currently researching an FDE
    > solutions for about 20 of our users laptops. So far I've downloaded and
    > tested PGP WDE, next is CompuSec, I have a trial of SafeGuard Easy on order
    > (hopefully arrive in the post next week), and I'm arranging a conference
    > call with someone from PointSec to setup a trial of that product.
    >
    > If anyone has any experience with any of the or other products, I'd be
    > interested in your views.



    Trivial: CompuSec is insecure by design. Just create a password reset floppy
    on a second machine, start the recovery at the first, insert it, and there
    you go. A trivial proof that they must have stored the key on the encrypted
    disk as well.

    SafeGuard Easy... well, has this shit become working now? On two test
    machines I saw the boot loader completely crashing, totally ignoring any
    keyboard response, or not accepting any of the correct passwords.

    > Our requirements are:


    > Full Disk Encryption
    > Pre Boot Authentication
    > Activate Directory Integration
    > Easy Deployment (MSI/group policy)
    > Automated Encryption (no user intervention)


    Hm... what about actual security? In terms of encryption this means to only
    Open Source software, due to a matter of trust and verification of the
    implementation. CompuSec has already been mentioned. SafeGuard Easy has been
    proven to be horrible insecure, f.e. not properly locking memory regions
    and then letting the keys being swapped out.
    Sebastian G., Jul 13, 2007
    #4
  5. Saqib Ali

    Arthur T. Guest

    In Message-ID:<>,
    "benb" <> wrote:

    >I'll be keeping an eye on this survey, as I'm currently researching an FDE
    >solutions for about 20 of our users laptops. So far I've downloaded and
    >tested PGP WDE, next is CompuSec


    Before you try out CompuSec, you might want to look at some
    previous posts about it in this newsgroup. Here's part of one of
    mine:

    Message-ID: <>
    Of course, even 128-bit encryption is overkill since the
    password is a maximum of 16 alpha-numeric characters. I work that
    out to be just over 95 bits worth.

    Also, there's something akin to a back-door in Compusec. In
    their Yahoo support group, one message said:

    >Hi, may I recommend you to send your Securityinfo.dat file to:
    >
    >support.sg@ce-infosys
    >
    >Send it with a request to have them extract your UserID and password
    >reset code.


    --
    Arthur T. - ar23hur "at" intergate "dot" com
    Looking for a z/OS (IBM mainframe) systems programmer position
    Arthur T., Jul 13, 2007
    #5
  6. Saqib Ali

    benb Guest

    "Sebastian G." <> wrote in message
    news:...
    > benb wrote:
    >
    >
    > Trivial: CompuSec is insecure by design. Just create a password reset
    > floppy
    > on a second machine, start the recovery at the first, insert it, and there
    > you go. A trivial proof that they must have stored the key on the
    > encrypted
    > disk as well.


    Yeah I tested it at home last night and didn't like it at all. There are a
    number of other failings as well. Such as only allowing 1 user login, if a
    consultant sends a machine in for repair, it would be useful to be able to
    login without them having to expose their password. Another is only allowing
    alphanumerical charactors in the login name, our users logon to the domain
    as joe.bloggs, but they couldn't use this to login to CompuSec as it
    contains a period, so its another username for them to remember. There is no
    windows/directory service synchronisation, so it means another password for
    users to remember, increasing the likihood of users writing down passwords
    somewhere.

    > SafeGuard Easy... well, has this shit become working now? On two test
    > machines I saw the boot loader completely crashing, totally ignoring any
    > keyboard response, or not accepting any of the correct passwords.


    Thanks for the warning, I was going to install it on my laptop to test, but
    I think I'll use a spare now, until I know it works! I've heard from other
    people that it is stable, and offers all of the requirements listed below.

    >> Our requirements are:

    >
    >> Full Disk Encryption
    >> Pre Boot Authentication
    >> Activate Directory Integration
    >> Easy Deployment (MSI/group policy)
    >> Automated Encryption (no user intervention)

    >
    > Hm... what about actual security? In terms of encryption this means to
    > only
    > Open Source software, due to a matter of trust and verification of the
    > implementation. CompuSec has already been mentioned. SafeGuard Easy has
    > been
    > proven to be horrible insecure, f.e. not properly locking memory regions
    > and then letting the keys being swapped out.


    I assumed that most of the products mentioned used at least AES 128, and so
    were fairly equal in that respect. Certainly all the datasheets for PGP WDE,
    SafeGuard Easy, PointSec & CompuSec state that they are capable of AES 256,
    and PointSec & SafeGuard say they are FIPS 140-2 compliant.

    My major reason for looking into this is in the event that one of our
    consultants has a laptop stolen, and someone might be able to retrieve
    clients confidential information from the hard disk. We're not a goverment
    organisation, bank or anything, but it would damage the company's reputation
    if a client were to find their information had been lost/made public!

    Ben
    benb, Jul 13, 2007
    #6
  7. "benb" <> wrote:

    > Thanks for the warning, I was going to install it on my laptop to
    > test, but I think I'll use a spare now, until I know it works! I've
    > heard from other people that it is stable, and offers all of the
    > requirements listed below.


    FWIW, no problems at all with SGE 4.2 at our company, and Utimaco lists
    a number of reference customers - some of which DID get to check the
    security of SGE in much more detail than for example Sebastian ;-)

    (For example, the German Army uses it, and to do so required permission
    from the government data security agency...)

    >> Hm... what about actual security? In terms of encryption this means
    >> to only Open Source software, due to a matter of trust and
    >> verification of the implementation. CompuSec has already been
    >> mentioned. SafeGuard Easy has been proven to be horrible insecure,
    >> f.e. not properly locking memory regions and then letting the keys
    >> being swapped out.


    Which is totally and utterly meaningless in a switched-off laptop, which
    is what SGE is designed to protect. All full-disc-encryption packages
    have the "weakness" that they allow data to be accessed when the laptop
    is on (even any Linux implementation) - after all, that's what they're
    designed for.

    How about stopping being a troll and actually sticking to the topic,
    Sebastian?

    > I assumed that most of the products mentioned used at least AES 128,
    > and so were fairly equal in that respect. Certainly all the
    > datasheets for PGP WDE, SafeGuard Easy, PointSec & CompuSec state
    > that they are capable of AES 256, and PointSec & SafeGuard say they
    > are FIPS 140-2 compliant.


    They are. Sebastian means that there might be a chance to recover the
    key when the laptop is running - which however is meaningless in any
    realistic scenario, because if the laptop is stolen while switched on,
    the files are accessible anyway®, even if the most secure unobtainium-
    derived open-source software is used (that of course was compiled by a
    self-written compiler, as you can't trust the compiler software
    either....)


    > My major reason for looking into this is in the event that one of our
    > consultants has a laptop stolen, and someone might be able to retrieve
    > clients confidential information from the hard disk.


    Which is something those packages WILL protect you against, provided
    the user didn't stick a post-it with the password to his laptop.

    And even then, some packages (SGE, for example) allow you to require
    authentication with a USB token (Alladin eToken, for SGE) instead of
    username/password - which of course would mean that you have to teach
    the user NOT to carry the token in the laptop bag ;-)



    Juergen Nieveler
    --
    Fabricati diem, Pvnc!
    Juergen Nieveler, Jul 13, 2007
    #7
  8. Saqib Ali

    Sebastian G. Guest

    Juergen Nieveler wrote:


    >>> Hm... what about actual security? In terms of encryption this means
    >>> to only Open Source software, due to a matter of trust and
    >>> verification of the implementation. CompuSec has already been
    >>> mentioned. SafeGuard Easy has been proven to be horrible insecure,
    >>> f.e. not properly locking memory regions and then letting the keys
    >>> being swapped out.

    >
    > Which is totally and utterly meaningless in a switched-off laptop, which
    > is what SGE is designed to protect. All full-disc-encryption packages
    > have the "weakness" that they allow data to be accessed when the laptop
    > is on (even any Linux implementation) - after all, that's what they're
    > designed for.



    It was one example from the non-FDE products from Ultimaco provides. Over
    the years we've seen many such implementation errors, and one really can't
    reasonably trust the vendor for now having created a proper implementation.

    >(that of course was compiled by a


    > self-written compiler, as you can't trust the compiler software
    > either....)



    The issue about checking the correctness of the implementation. That means
    not just the cipher, but also the key management (including key creation and
    key destruction) and the rest (f.e. that it doesn't store a backup of the
    key somewhere else). Didn't we learn something from PGP 5.x?
    Sebastian G., Jul 13, 2007
    #8
  9. "Sebastian G." <> wrote:

    > The issue about checking the correctness of the implementation. That
    > means not just the cipher, but also the key management (including key
    > creation and key destruction) and the rest (f.e. that it doesn't store
    > a backup of the key somewhere else). Didn't we learn something from
    > PGP 5.x?


    AFAIK the BSI checked SGE before allowing the Bundeswehr to use it for
    confidential documents, and so did NATO.

    Of course, it all depends on your personal level of paranoia - even if
    a product is secure enough to encrypt state secrets and
    multi-billion-dollar trade information, is it secure enough for you? ;-)

    Juergen Nieveler
    --
    Ignore previous cookie
    Juergen Nieveler, Jul 13, 2007
    #9
  10. Saqib Ali

    Sebastian G. Guest

    Juergen Nieveler wrote:

    > "Sebastian G." <> wrote:
    >
    >> The issue about checking the correctness of the implementation. That
    >> means not just the cipher, but also the key management (including key
    >> creation and key destruction) and the rest (f.e. that it doesn't store
    >> a backup of the key somewhere else). Didn't we learn something from
    >> PGP 5.x?

    >
    > AFAIK the BSI checked SGE before allowing the Bundeswehr to use it for
    > confidential documents, and so did NATO.


    >


    > Of course, it all depends on your personal level of paranoia - even if
    > a product is secure enough to encrypt state secrets and
    > multi-billion-dollar trade information, is it secure enough for you? ;-)


    Two words: Microsoft Windows
    Sebastian G., Jul 13, 2007
    #10
  11. Saqib Ali

    Ari Guest

    On Mon, 09 Jul 2007 05:56:31 -0000, Saqib Ali wrote:

    > Please consider the following when voting:
    > 1. Easy of use


    Truecrypt

    > 2. Transparency to the user


    Truecrypt

    > 3. Directory integration (e.g. integration with Active Directory or
    > LDAP)


    Truecrypt

    > 4. Key Management (Backup, recovery, archiving)


    Truecrypt

    > 5. Password recovery


    Why the hell would I want that?

    > 6. Cost


    Free OK? Truecrypt

    > 7. User Interface


    Truecrypt

    > 8. Reliability


    Truecrypt

    > 9. Performance


    Truecrypt

    > 10. Overall Functionality


    Truecrypt
    Ari, Jul 21, 2007
    #11
  12. Ari <> wrote:

    >> 10. Overall Functionality

    >
    > Truecrypt


    Except that we're talking about FULL disk encryption

    Juergen Nieveler
    --
    Superoxymoron: Government worker
    Juergen Nieveler, Jul 23, 2007
    #12
  13. Saqib Ali

    ric Guest

    On Jul 23, 10:08 am, Juergen Nieveler
    <> wrote:
    > Ari <> wrote:
    > >> 10. Overall Functionality

    >
    > > Truecrypt

    >
    > Except that we're talking about FULL disk encryption
    >
    > Juergen Nieveler
    > --
    > Superoxymoron: Government worker


    I'd bring to the table Pointsec - we use this and it's good and scales
    to the enterprise for key recovery etc, and also potentially MS
    Bitlocker in Vista. Not used the latter, obviously treat with
    caution, but it does seem to be ticking the boxes so far from brief
    conversations with our architects...
    ric, Jul 24, 2007
    #13
  14. Saqib Ali

    Ari Guest

    On 23 Jul 2007 09:08:45 GMT, Juergen Nieveler wrote:

    > Ari <> wrote:
    >
    >>> 10. Overall Functionality

    >>
    >> Truecrypt

    >
    > Except that we're talking about FULL disk encryption
    >
    > Juergen Nieveler


    In-excluding OS?
    Ari, Jul 24, 2007
    #14
  15. ric <> wrote:

    > I'd bring to the table Pointsec - we use this and it's good and scales
    > to the enterprise for key recovery etc, and also potentially MS
    > Bitlocker in Vista. Not used the latter, obviously treat with
    > caution, but it does seem to be ticking the boxes so far from brief
    > conversations with our architects...


    Haven't been able to verify it (I only have Vista Home Premium), but
    I've heard that Bitlocker only encrypts the system partition, not any
    additional partitions.

    Can anybody confirm or deny this?

    Juergen Nieveler
    --
    Your vehicle will go NMC right after the contact team leaves the AO.
    Juergen Nieveler, Jul 24, 2007
    #15
  16. Ari <> wrote:

    >>> Truecrypt

    >>
    >> Except that we're talking about FULL disk encryption
    >>

    >
    > In-excluding OS?


    Excluding the OS is a bad idea IMHO.

    It is often argued that encrypting known files is bad because of known-
    plaintext-attacks, however not encrypting the system partition allows
    an attacker to inject files while the machine is not running.

    Simply mount the HD on another machine, put the files onto the disk,
    and make sure that the files are run on startup by putting a link into
    the startup-folder of the user profile.

    Juergen Nieveler
    --
    Life is a sexually transmitted and terminal disease
    Juergen Nieveler, Jul 24, 2007
    #16
  17. Saqib Ali

    Ari Guest

    On 24 Jul 2007 19:12:49 GMT, Juergen Nieveler wrote:

    > Ari <> wrote:
    >
    >>>> Truecrypt
    >>>
    >>> Except that we're talking about FULL disk encryption
    >>>

    >>
    >> In-excluding OS?

    >
    > Excluding the OS is a bad idea IMHO.
    >
    > It is often argued that encrypting known files is bad because of known-
    > plaintext-attacks, however not encrypting the system partition allows
    > an attacker to inject files while the machine is not running.


    Fair enough.

    > Simply mount the HD on another machine, put the files onto the disk,
    > and make sure that the files are run on startup by putting a link into
    > the startup-folder of the user profile.
    >
    > Juergen Nieveler


    Please repeat, I missed the point, Thx for the info.
    Ari, Jul 25, 2007
    #17
  18. I hate to blow my own trumpet but have you thought about SafeBoot
    (www.safeboot.com)?

    In my biased opinion it works better than the other products you're
    looking at - for only 20 machines you'll not need some of the more
    advanced stuff like AD integration, webhelpdesk etc, but you might
    find those features technically interesting.

    S.

    On Jul 24, 9:58 pm, Ari <> wrote:
    > On 24 Jul 2007 19:12:49 GMT, Juergen Nieveler wrote:
    >
    > > Ari <> wrote:

    >
    > >>>> Truecrypt

    >
    > >>> Except that we're talking about FULL disk encryption

    >
    > >> In-excluding OS?

    >
    > > Excluding the OS is a bad idea IMHO.

    >
    > > It is often argued that encrypting known files is bad because of known-
    > > plaintext-attacks, however not encrypting the system partition allows
    > > an attacker to inject files while the machine is not running.

    >
    > Fair enough.
    >
    > > Simply mount the HD on another machine, put the files onto the disk,
    > > and make sure that the files are run on startup by putting a link into
    > > the startup-folder of the user profile.

    >
    > > Juergen Nieveler

    >
    > Please repeat, I missed the point, Thx for the info.
    SafeBoot Simon, Jul 25, 2007
    #18
  19. Saqib Ali

    Ari Guest

    On Wed, 25 Jul 2007 13:23:22 -0000, SafeBoot Simon wrote:

    > I hate to blow my own trumpet but


    You really don't hate too?
    Ari, Jul 25, 2007
    #19
  20. On Jul 25, 11:56 am, Ari <> wrote:
    > On Wed, 25 Jul 2007 13:23:22 -0000, SafeBoot Simon wrote:
    > > I hate to blow my own trumpet but

    >
    > You really don't hate too?


    It galls me to have to lower myself to marketing.. but hey, whatever
    helps.. ;-)
    SafeBoot Simon, Jul 27, 2007
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tim Weaver

    Full Disk Encryption - Anyone Tried These?

    Tim Weaver, Jun 13, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    2,674
    Frode
    Jun 14, 2004
  2. Saqib Ali
    Replies:
    24
    Views:
    2,913
    sam.weiner1
    Dec 16, 2009
  3. Saqib Ali
    Replies:
    22
    Views:
    1,225
    Ertugrul Soeylemez
    Jan 5, 2007
  4. gojlt2

    full disk encryption "Backup"

    gojlt2, Aug 8, 2008, in forum: Computer Security
    Replies:
    3
    Views:
    598
    Juergen Nieveler
    Aug 12, 2008
  5. feenberg

    UEFI and full-disk-encryption

    feenberg, Jan 7, 2012, in forum: Windows 64bit
    Replies:
    4
    Views:
    5,546
    feenberg
    Jan 8, 2012
Loading...

Share This Page