Educause Security Discussion mailing list archives

Re: Looking for a laptop encryption policy for institutionally-owned laptops

From: Gary Dobbins <dobbins () ND EDU>
Date: Thu, 22 Mar 2007 11:43:32 -0400

Encrypting them is easy.  Regaining authorized access when someone {forgets
their key | leaves | becomes disgruntled | etc} is not often so.

You'll want to put some thought into key escrow processes, to ensure that the
owner (your university) always has a governed means of getting to the
encrypted contents, possibly regardless of reason or circumstance.

Some commercial products provide mechanisms for managing key escrow, which is
where their value-add primarily appears.
The free stuff can be equally effective at thwarting a laptop thief - it just
doesn't necessarily give you a scalable managed recovery mechanism.

-----Original Message-----
From: HALL, NATHANIEL D. [mailto:halln () OTC EDU]
Sent: Thursday, March 22, 2007 11:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Looking for a laptop encryption policy for
institutionally-owned laptops

I just finished doing some basic research on Vista's BitLocker Drive
Encryption using Active Directory.  It seems to be pretty good, but I
did not get down to the nitty gritty to see what I could read on the
drive.

By default, it uses AES 128 with a diffuser for encryption, the TPM in
most new computers or a USB key, and can be easily scripted.  I find it
is much better than EFS because it encrypts the entire partition,
including the page file, and not just a directory that can easily be
circumvented.

If you would like a link to my presentation, please let me know and I
will send you the link after I make it publicly available.

--
Nathaniel Hall, GSEC GCFW GCIA GCIH GCFA
Network Security System Administrator
OTC Computer Networking

Office: (417) 447-7535

-----Original Message-----
From: Ardoth Hassler [mailto:hasslera () GEORGETOWN EDU]
Sent: Thursday, March 22, 2007 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Looking for a laptop encryption policy for
institutionally-owned laptops

Hi.... I'm in search of a sample policy that addresses encryption of
institutionally-owned laptops. Thanks in advance for sharing.

Ardoth

(Also posted this to the ICPL list so I apologize for the cross post.)

--
Ardoth A. Hassler
Associate Vice President
University Information Services
Georgetown University
Washington, DC
202-687-1973
hasslera () georgetown edu

Attachment: smime.p7s
Description:

Current thread:

Re: Looking for a laptop encryption policy for institutionally-owned laptops HALL, NATHANIEL D. (Mar 22)
- <Possible follow-ups>
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Gary Dobbins (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Paul Keser (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Gibson, Nathan J. (HSC) (Mar 22)
- Re: Looking for a laptop encryption policy for institutionally-owned laptops Steve Brukbacher (Mar 22)