[unisog] Encryption and key escrow.
docbook.xml at gmail.com
Fri May 2 17:57:36 GMT 2008
In addition to issues you already mentioned there could be legal
issues as well. Remember a digital record is not just a digital record
- it is potential evidence in a lawsuit. And if the that digital
record is encrypted without you having the capability to decrypt it,
you could get in trouble.
If you advise the users to use truecrypt (or similar), you may be held
liable to decrypt it in case of investigation. If they do it on their
own i.e. without your knowledge, then you are no longer responsible.
Best thing is it to look for a key management solutions.
On Fri, May 2, 2008 at 10:16 AM, John C. Gale <john_gale at uncg.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> We have not currently implemented an Enterprise drive/container
> encryption product. We'd like to get there, but until we can we are
> considering telling savvy users to use something like truecrypt. The
> user would be responsible for his own key and there would be no official
> escrow. I am aware of the challenges (user forgets password, user is
> hit by a bus, data is lost, etc), but there are instances (perhaps even
> broadly) where encrypting a drive is a good idea even if key management
> is left completely up to the user.
> My question is anyone doing this unofficially or officially in their
> organizations (not you personally) to fill specific needs? Is it
> discouraged, ignored, encouraged or perhaps even supported for users in
> your organization?
> Feel free to respond to me directly and I will summarize for the list.
> - --
> After all, all he did was string together a lot of old, well-known
> -- H. L. Mencken, on Shakespeare
More information about the unisog