Educause Security Discussion mailing list archives
Re: Laptop encryption
From: Sarah Stevens <sarah () STEVENS-TECHNOLOGIES COM>
Date: Fri, 5 Oct 2007 10:33:11 -0700
This could possibly take this conversation in a completely different direction, but have you seen the article on slashdot about whole disk encryption? Here is a segment of the article, reproduced from Slashdot (in case you do not feel comfortable following the link): "PGP Corporation's widely adopted Whole Disk Encryption product <http://www.pgp.com/products/wholediskencryption/index.html> apparently has an encryption bypass feature <http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html> that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded <http://securology.blogspot.com/2007/10/pgp-whole-disk-encryption-barely.html#comment-7822943064091432904> that this feature was required by unnamed customers and that competing products have similar functionality." Here is the link to the article: http://it.slashdot.org/article.pl?sid=07/10/04/1639224 Sarah Stevens Stevens Technologies, Inc Charlotte, NC 28227 ________________________________ From: David Taylor [mailto:ltr () ISC UPENN EDU] Sent: Fri 10/5/2007 10:12 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Laptop encryption -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 That was very helpful information. Much appreciated. We have just formed a team to look at whole disk encryption for laptops with sensitive data on them and had this on the list to look at. - ------------------------------- David Taylor University of Pennsylvania Office of Information Security 215-898-1236 - ------------------------------- _____________________________________________ From: David Seidl [mailto:dseidl () ND EDU] Sent: Friday, October 05, 2007 10:55 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Laptop encryption * PGP Signed by an unverified key: 10/05/07 at 10:54:38 Seagate did a lunch and learn on these at the SANS Network Security conference - I'd like to get a chance to look at one myself. Here's what I have in my notes from their presentation: There are a few caveats right now: 1) The drives are 5400 RPM older generation drives only - they noted that they were adding encryption to existing platforms rather than cutting edge devices - thus the lower rotational speed and the 1.5 Gbps SATA rather than 3.0 Gbps SATA interface. 2) They are not FIPS certified (as a device) 3) Only 2.5" drives are currently available, so this isn't a viable desktop solution yet. There are currently two third parties who provide management interfaces for the drive encryption. If you scale to any great degree, you'll want to purchase the management software in addition to the drives. Seagate claimed that the cost with management software was still lower than full drive encryption and management software that is currently available. One of my concerns - albeit a relatively minor one at the moment - was that the firmware that boots them is (from their description) basically a Linux mini-kernel which accepts user input in the form of a passphrase to unlock the drive. The Seagate staffers at the conference said that there was currently no patching method if vulnerabilities were found in the mini-kernel. I'd hate to have vulnerable or exploitable disk drives on top of everything else. David - ------------------------------------------------------------ David Seidl, CISSP University of Notre Dame, Office of Information Technologies David Taylor wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There is also the Seagate drive that does whole disk encryption. It also takes most of the performance hit since most of the processing is done on the drive hardware. Has anyone had any experience with these? I think they just hit the market recently. http://www.pcworld.com/businesscenter/article/129734/seagate_ships_supersecure_hard_disk_drive.html - ------------------------------- David Taylor University of Pennsylvania Office of Information Security 215-898-1236 - -------------------------------
* David Seidl <dseidl () nd edu> * Issuer: Thawte Consulting (Pty) Ltd. - Unverified -----BEGIN PGP SIGNATURE----- Version: 9.6.3 (Build 3017) wj8DBQFHBnBmrFOwyUiOUlwRAvSgAJ9U9qbrc9I8J2WTmsxyDuGYcFCmkQCfQFUY 6FtYA1GfEzh7WDMlcocTxqc= =aELh -----END PGP SIGNATURE-----
Current thread:
- Re: Laptop encryption, (continued)
- Re: Laptop encryption Greg Vickers (Oct 04)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Matthew Gracie (Oct 05)
- Re: Laptop encryption O'Callaghan, Daniel (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption David Seidl (Oct 05)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Jim Dillon (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Curt Wilson (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Jeff Holden (Oct 05)
- Re: Laptop encryption Bob Ono (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Eric Case (Oct 05)
(Thread continues...)