Educause Security Discussion mailing list archives
Re: Laptop encryption
From: Paul Keser <pkeser () STANFORD EDU>
Date: Fri, 5 Oct 2007 11:30:25 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One of our Sysadmins is experimenting with the seagate solution. So far he likes it, no noticeable performance hit. I like the fact that it is OS agnostic. We are also experimenting with EFS for windows and TrueCrypt for Linux & Windows. We haven't been able to find 1 vendor to support all 3 platforms yet, even PGP is only officially supporting Mac & Win these days...and not even the boot disk on Mac. I really wish they would port TrueCrypt to Mac. I also like forcefield for managing TrueCrypt on Linux. I still have not been sold on whole disk encryption. Encrypting the OS makes sys admining the box that much more complex and the potential for disaster is too great...I think I'd rather have the os in the clear so it is easier to integrity check. JMHO... - -PaulK Paul Keser Assoc. Information Security Officer Stanford University 650.724.9051 GPG Fingerprint: DBA3 E20F CE91 28AA DA1C 4A77 3BD9 C82D 2699 24FB David Taylor wrote:
There is also the Seagate drive that does whole disk encryption. It also takes most of the performance hit since most of the processing is done on the drive hardware. Has anyone had any experience with these? I think they just hit the market recently. http://www.pcworld.com/businesscenter/article/129734/seagate_ships_supersecure_hard_disk_drive.html ------------------------------- David Taylor University of Pennsylvania Office of Information Security 215-898-1236 ------------------------------- -----Original Message----- From: O'Callaghan, Daniel [mailto:Daniel.OCallaghan () SINCLAIR EDU] Sent: Friday, October 05, 2007 10:33 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Laptop encryption1. What is your current practice:We looked at laptop encryption about 2 years ago and decided the resource hit, risk of data loss, key management, and user-related issues were significant enough that we could not support 'mandating' across the board. We opted for mandating the use of drive locking technology (HP DriveLock) for all College-owned administrative (ie faculty & staff) laptops. DriveLock essentially uses the TPM chip which prevents the drive from booting/initializing until the password is entered, even if the drive is removed & inserted in another device, it will not boot. College policy requires all laptop purchases be coordinated with and processed by IT. When the machine arrives on campus, IT sets the 'master' DriveLock password and the owner sets the user password on delivery. We initially met user resistance to this 'extra' password requirement, but have overcome a lot of it by also allowing users to implement the stored credentials (essentially a password vault) feature offered by the machines. A caveat is that users must be taught to power-down, not just hibernate, the laptop when traveling as DriveLock only works at powerup.2. What is your desired practice if you do not use encryption onlaptops Our Acceptable Use Policy does state that all personal identifying information stored on local devices, portable devices, or removable media must be encrypted or redacted. We offer user training on using WinZip, AxCrypt, and Truecrypt for encryption of individual files or folders. We do realize that this DriveLock is essentially technology enhanced "security by obscurity" and is not a perfect solution, but think it is a pretty good solution based on risk/usability. Our legal counsel opines that if a user (who doesn't follow the AUP encryption requirement) loses a laptop containing personal information, DriveLock "might" provide a defense under the "data elements unreadable" definition of Ohio's data breach notification law...but we are really hoping we do not have the opportunity to find out. ________________________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP Chief Information Security Officer Sinclair Community College 444 West Third Street, 14-324 Dayton, Ohio 45402-1460 937-512-2452 Fax 937-512-3124 daniel.ocallaghan () sinclair edu
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHBoLBO9nILSaZJPsRAt4bAJ9ZgxXjNQAP/pZk1ZXMI3JQEpZedwCfTfoO 2KZVZ1yCfoT/+arAEex65nQ= =6wY3 -----END PGP SIGNATURE-----
Current thread:
- Re: Laptop encryption, (continued)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Matthew Gracie (Oct 05)
- Re: Laptop encryption O'Callaghan, Daniel (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption David Seidl (Oct 05)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Jim Dillon (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Curt Wilson (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Jeff Holden (Oct 05)
- Re: Laptop encryption Bob Ono (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Eric Case (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 07)
(Thread continues...)