[unisog] Full disk encryption packages -- summary

Russell Fulton r.fulton at auckland.ac.nz
Sat Dec 22 20:11:56 GMT 2007 

I got a few replies to my 'survey'  not enough to produce anything  
statistically valid but still interesting.

Windows:

I got one institution using PGP Desktop with tokens for key storage,  
three using PGP full disk encryption (FDE).  Both of these are  
commercial packages from PGP.

All of the respondents were happy with the products, including ease of  
set up, subsequent administration and end user experience.  Both have  
enterprise type features like key escrow but no one admitted using them.

Both also allow one to encrypt removable devices but this is not  
transparent.  That is you need to explicitly encrypt the device and  
type a password when ever you mount it.

One respondent pointed out that the full disk product also handles  
dirty shutdowns (the desktop product presumably does too).

All the windows responses were for PGP products.  Somewhat telling I  
think so we will probably go with PGP on the windows front.

Macs:

No one responded to say they were using encryption on Macs so I spent  
a while doing my own research and asking the major mac users here on  
campus.

First off PGP FDE works on Macs but does not encrypt boot partitions.   
It can however be used to encrypt removable devices -- this could  
still be useful to handle the movement of encrypted USB devices  
between Macs and PCs.  Recent versions of MacOS come with FileVault  
which can encrypt the boot disk or individual folders.  Some admins  
here have had administrative problems with machine using filevault --  
maybe 10.5 is better?  The other potential downside of FileVault is  
that it uses the keychain and is thus ultimately dependent on the  
strength of the login credentials.

I use a Mac laptop running 10.5 and I thing I'll give FileVault a try  
and see how it goes...

One group is using encrypted disk images -- you get prompted for a  
password when you mount them.  Like encrypted folders these suffer  
from the problem that stuff may get left in temporary files etc.   
Whether or not these are adequate depend on just how sensitive the  
data you are trying to protect is and whether you are trying to  
protect against targeted attack or unintentional disclosure though  
loss of the machine.

On the removable media front I we are also looking at encrypted USB  
keys -- I'll write a separate post on that.  Suffice to say here that  
there is at least one good solution out there and that this may well  
solve the issue of removable media for Macs.

Linux:

As mentioned above I had one respondent using Linux who is using "LUKS  
on Debian Etch".  He was generally happy with the solution but  
reported problems with the encryption interfering with the general  
administration of the machine.  They had not tried encrypting  
removable devices.

Thanks to those who responded.

Russell

More information about the unisog mailing list