Re: Whole Disk Encryption

["Maloney, Michael" <mmaloney () MIDDLESEXCC EDU>]

We started out using Pointsec on laptops for encryption (XP installs), and while it was great, maintaining the recovery 
keys and such was not the easiest thing to do.

With Windows 7, any laptop that gets deployed gets Bitlocker with the pre-boot pin.    As we deploy Windows 7 desktops 
to offices, they are being deployed with Bitlocker, but without the pre-boot pin.   The goal behind encrypting the 
desktops was to prevent data from leaving the college for reasons other than theft (drive replacement under warranty, 
drive removed from desktop and getting misplaced, etc etc).    

All of our hardware based Server 2008 servers are encrypted with Bitlocker as well.

We manage the recovery keys thru GPO and AD,  as well as saving each recovery key on a flash drive that is stored in 
our safe.

One  downside to FDE is any utility that boots to a CD/USB will not recognize the hard drive.   So if you have to run 
say a rescue disk from a A/V vendor to try and get rid of a virus, it won't work.  The drive will need to be decrypted 
first.   And that can be a plus,  as utilities such as the NT Password/Registry Editor can't be used to break the admin 
password and gain access to the drive if someone gets it.

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Howell, 
Paul
Sent: Friday, January 13, 2012 6:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: {SPAM?} Re: [SECURITY] Whole Disk Encryption
Importance: Low


Has anyone implemented WDE across the board, for laptops AND workstations?   If so, WRT workstations, what issues have 
been encountered?  


________________________________
Paul Howell
University Chief Security Officer
Information & Infrastructure Assurance
Information and Technology Services
The University of Michigan


________________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Alexander Kurt 
Keller [alkeller () SFSU EDU]
Sent: Friday, January 06, 2012 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger 
deployments:

"We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password 
or pre-boot authentication password when a user forgets it (or loses a keyfile)?

Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume 
passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file 
(select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header 
(which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is 
encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or 
generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles 
without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" 
the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup 
file (Tools -> Restore Volume Header). "

--  http://www.truecrypt.org/faq

Alex Keller
Systems Administrator
Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu edu

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, 
MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

The biggest drawback for us was no password recovery – lose the password, lose the data….

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew 
Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

@Aaron,

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise 
deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires 
direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use 
it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend 
it for any type of enterprise rollout.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu

P  Save a tree. Please consider the environment before printing this message.

On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson <athompson () berklee edu> wrote:
Hi All,

Has anyone deployed or has experience with TrueCrypt?  If so are you happy with it?  Any things you would have changed 
or pitfalls?

Best,

Aaron
-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656



--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.