Educause Security Discussion mailing list archives

Re: Laptop encryption

From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 5 Oct 2007 15:11:21 -0500

Dennis Tracz wrote:

Hello all,

I am new to this list so please forgive me if this topic has already
been covered.
I am interested in knowing, what is the common practice for Laptop
encryption, specifically:

1.  What is your current practice:
   a.  Do you use encryption on laptops (for laptops you administer)


No central policy; I'm using it on my own systems.

   b.  Do you encrypt the entire hard drive or selected folders i.e.( My
Documents)


Currently, selected folders. Future: whole disk encryption at least for
mobile systems.

   c.  Do you use a commercial product or EFS


I'm using mostly TrueCrypt although have played with PGP, and intend to
analyze the Pointsec solution offered through Entrust in the near
future. I've heard that EFS has some holes in that an administrator acct
is automatically a key recovery agent and if you can boot into the
system with a linux boot disk and re-create the admin account and reboot
you've got yourself a nice key recovery attack for EFS. NOTE: I did not
test this; this is based on some reading and some investigation done by
an employee here on my team.

   e.  If encryption is used is it automatically configured (for laptops
you administer) or do users have a choice


Don't know yet.

  2.  What is your desired practice if you do not use encryption on laptops


Wrap laptop in lead and make sure Superman doesn't show up with his
X-ray vision.

a.  Is this something you are wanting, attempting or not wishing to do?


wanting

b.  Would you encrypt the entire hard drive or selected folders i.e.( My
Documents)


TrueCrypt : create a virtual container; doesn't handle temp files well
unless you make the temp file directory a virtual container also, not
sure how that would work... for laptops: full disk eventually

c.  Would you use a commercial product or EFS?


commercial app or maybe EFS/Bitlocker on Vista with TPM. Haven't tested yet.

d.  Would you automatically encrypt (for laptops you administer) or
would you let your users have a choice?


Depends upon role and sensitivity.


Any insight is greatly appreciated.


I agree :)

 Thanks in advance



--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237

GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc

Current thread:

Re: Laptop encryption, (continued)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Matthew Gracie (Oct 05)
- Re: Laptop encryption O'Callaghan, Daniel (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption David Seidl (Oct 05)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Jim Dillon (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Curt Wilson (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Jeff Holden (Oct 05)
- Re: Laptop encryption Bob Ono (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Eric Case (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 07)
- Re: Laptop encryption David Kovarik (Oct 08)

(Thread continues...)