[unisog] Drive Encryption

John Ladwig jladwig at mango.lioness.net
Wed Feb 15 20:35:42 GMT 2006


On Wed, Feb 15, 2006 at 11:37:01AM -0600, Stejerean, Cosmin wrote:
> I have been using TrueCrypt to create encrypted volumes and protect all
> critical data on my laptop, desktop and portable USB drives. And if
> you're worried about rubber hose 'cryptanalysis' the encrypted volume
> inside an encrypted volume (named hidden volume by TrueCrypt) is really
> great.

I'm much more worried about unintentional shredding of data via loss
of access to keying materials or suchlike.  And I'm particularly
concerned about that across the usual sort of population of
computer-using information workers who are *not* particularly
security-aware or -friendly. 

For quite some time I've seen reports of "We went through a product
selection process and have just decided to deploy X," or "We just ran
a small pilot with product Y, and we're going to deploy it," but I've
yet to encounter anyone who can discuss failure and pain rates for
general user populations larger than ten or so.  I'd like to see how
it worked out across a few password-update cycles, especially if it's
file-based encryption.  Or access to files in the case of an adverse
termination or death of an employee.  Access to historical data seems
particularly at risk. 

I do know of the seminal paper "Why Johnny Can't Encrypt" by Whitten
and Tygar, but that is PGP5-specific and thus not as relevant as I'd
like on the topic of file or whole-disk or home-directory encryption. 

Can anyone help on that?  Maybe a user population of 1,000 to 10,000
and a deployed product duration of 18 to 24 months?  With verified
access to data created at the beginning of the period?

    -jml

> -----Original Message-----
> From: unisog-bounces at lists.sans.org
> [mailto:unisog-bounces at lists.sans.org] On Behalf Of Michael Holstein
> Sent: Wednesday, February 15, 2006 9:37 AM
> To: UNIversity Security Operations Group
> Subject: Re: [unisog] Drive Encryption
> 
> I highly recommend TrueCrypt (www.truecrypt.org). It's free, and easy to
> use.
> 
> Cheers,
> 
> Michael Holstein CISSP GCIA
> Cleveland State University
> 
> Andy Johnston wrote:
> > Along these lines, does anyone have experience with drive 
> > encryption packages such as PGP Desktop?  Or anything (including  
> > EFS, if you have a policy requiring it) that uses encryption to 
> > secure stored data?
> > 
> > Has anything like this been implemented in a university setting
> > (or a part of one)?  If so, does it help and how much of a pain 
> > is it to support? 
> > 
> > Subjective opinions and hearsay appreciated.
> > 
> > Thanks,
> > 
> > - Andy


More information about the unisog mailing list