Re: Re: It's a Presidential Mandate, Feds use it. It is Free. How come you are not using FDE?

[levinson_k () securityadmin info]

I (and others) couldn't disagree more about full disk encryption being a waste of time.  Encrypting just certain 
folders means that the user is at risk of saving sensitive data to other non-encrypted folders, and the OS might save 
sensitive data to temp folders and other files.

I disagree about that approach being the simplest.  For that approach to be secure, users have to be trained to follow 
policy.  User training (and the resulting support questions) costs money, and is usually far less than 100% reliable.  
If they don't, the security may be compromised.  Every lost laptop might result in doubt as to whether or not the 
sensitive files were stored in a way so that they are encrypted.

I'm not sure what you mean about OS files being encrypted already.  They are not, at least not in a way that prevents 
an attacker with physical possession of the system from cracking the system.  The security of file encryption depends 
on the file encryption solution you choose, how it is set up, and how and where it stores private keys.  In many cases, 
if you don't encrypt the entire hard drive, the attacker can potentially attack the SAM, the user profiles, keyring 
files or other locations where private key information is stored.

kind regards,

Karl Levinson
http://securityadmin.info