RE: FDE solution for laptops

["Mason, Samuel" <SMason () mt gov>]

I tested a few solutions and chose Mobile Armor's Data Armor for my solution. It's got a good centralized management 
console for updates and password changes.

You can decrypt the drive as well but it isn't what you'd call "easy"... which, considering what you are doing, isn't 
such a bad thing. Only certain accounts can decrypt the device and remove the software, depending on how you have the 
policy set up.

One note: if you are off the network with this product ensure they do not hook up to another network prior to logging 
in to the Data Armor login at boot. It will attempt to authenticate to the central server and, with it missing, will 
take a long time to fail and use the cached password.


PS-
I'm sure everyone's heard of the recent paper (by Princeton) regarding FDE and keys stored in DRAM. If not it is an 
interesting read:
http://www.nytimes.com/2008/02/22/technology/22chip.html?_r=1&oref=slogin
...among other places. I'm not trying to raise a scare or imply FDE is useless, mind you, just passing on info.

Samuel Mason CISSP, GCFA


--------------------------------------------------
From: "ыфзкфт" <sapran () gmail com>
Sent: Wednesday, February 20, 2008 9:47 AM
To: <security-basics () securityfocus com>
Subject: FDE solution for laptops

> Hi list!
>
> I am in search of a solution for full disk encryption. The main goal
> is to protect data stored at travelling managers' laptops from loss
> and/or theft of device.
>
> I had tried the shiny new TrueCrypt 5 with system drive/partition
> encryption, but it made an OEM XP boot into safe mode only, so I guess
> that's not a right choice.
>
> I will appreciate any help on topic.
>
> Here come some details:
> 1) We use mostly Dells: Inprisons, Inspirons and Vostros.
> 2) The encryption must be easily recoverable using rescue CD/DVD or smth.
>
> --
> sapran