[unisog] Full disk encryption packages -- summary
r.fulton at auckland.ac.nz
Sat Dec 22 20:11:56 GMT 2007
I got a few replies to my 'survey' not enough to produce anything
statistically valid but still interesting.
I got one institution using PGP Desktop with tokens for key storage,
three using PGP full disk encryption (FDE). Both of these are
commercial packages from PGP.
All of the respondents were happy with the products, including ease of
set up, subsequent administration and end user experience. Both have
enterprise type features like key escrow but no one admitted using them.
Both also allow one to encrypt removable devices but this is not
transparent. That is you need to explicitly encrypt the device and
type a password when ever you mount it.
One respondent pointed out that the full disk product also handles
dirty shutdowns (the desktop product presumably does too).
All the windows responses were for PGP products. Somewhat telling I
think so we will probably go with PGP on the windows front.
No one responded to say they were using encryption on Macs so I spent
a while doing my own research and asking the major mac users here on
First off PGP FDE works on Macs but does not encrypt boot partitions.
It can however be used to encrypt removable devices -- this could
still be useful to handle the movement of encrypted USB devices
between Macs and PCs. Recent versions of MacOS come with FileVault
which can encrypt the boot disk or individual folders. Some admins
here have had administrative problems with machine using filevault --
maybe 10.5 is better? The other potential downside of FileVault is
that it uses the keychain and is thus ultimately dependent on the
strength of the login credentials.
I use a Mac laptop running 10.5 and I thing I'll give FileVault a try
and see how it goes...
One group is using encrypted disk images -- you get prompted for a
password when you mount them. Like encrypted folders these suffer
from the problem that stuff may get left in temporary files etc.
Whether or not these are adequate depend on just how sensitive the
data you are trying to protect is and whether you are trying to
protect against targeted attack or unintentional disclosure though
loss of the machine.
On the removable media front I we are also looking at encrypted USB
keys -- I'll write a separate post on that. Suffice to say here that
there is at least one good solution out there and that this may well
solve the issue of removable media for Macs.
As mentioned above I had one respondent using Linux who is using "LUKS
on Debian Etch". He was generally happy with the solution but
reported problems with the encryption interfering with the general
administration of the machine. They had not tried encrypting
Thanks to those who responded.
More information about the unisog