Educause Security Discussion mailing list archives
Re: Laptop encryption
From: Curt Wilson <curtw () SIU EDU>
Date: Fri, 5 Oct 2007 15:11:21 -0500
Dennis Tracz wrote:
Hello all, I am new to this list so please forgive me if this topic has already been covered. I am interested in knowing, what is the common practice for Laptop encryption, specifically: 1. What is your current practice: a. Do you use encryption on laptops (for laptops you administer)
No central policy; I'm using it on my own systems.
b. Do you encrypt the entire hard drive or selected folders i.e.( My Documents)
Currently, selected folders. Future: whole disk encryption at least for mobile systems.
c. Do you use a commercial product or EFS
I'm using mostly TrueCrypt although have played with PGP, and intend to analyze the Pointsec solution offered through Entrust in the near future. I've heard that EFS has some holes in that an administrator acct is automatically a key recovery agent and if you can boot into the system with a linux boot disk and re-create the admin account and reboot you've got yourself a nice key recovery attack for EFS. NOTE: I did not test this; this is based on some reading and some investigation done by an employee here on my team.
e. If encryption is used is it automatically configured (for laptops you administer) or do users have a choice
Don't know yet.
2. What is your desired practice if you do not use encryption on laptops
Wrap laptop in lead and make sure Superman doesn't show up with his X-ray vision.
a. Is this something you are wanting, attempting or not wishing to do?
wanting
b. Would you encrypt the entire hard drive or selected folders i.e.( My Documents)
TrueCrypt : create a virtual container; doesn't handle temp files well unless you make the temp file directory a virtual container also, not sure how that would work... for laptops: full disk eventually
c. Would you use a commercial product or EFS?
commercial app or maybe EFS/Bitlocker on Vista with TPM. Haven't tested yet.
d. Would you automatically encrypt (for laptops you administer) or would you let your users have a choice?
Depends upon role and sensitivity.
Any insight is greatly appreciated.
I agree :) Thanks in advance
-- Curt Wilson IT Network Security Officer Southern Illinois University Carbondale 618-453-6237 GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
Current thread:
- Re: Laptop encryption, (continued)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Matthew Gracie (Oct 05)
- Re: Laptop encryption O'Callaghan, Daniel (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption David Seidl (Oct 05)
- Re: Laptop encryption Gary Flynn (Oct 05)
- Re: Laptop encryption Jim Dillon (Oct 05)
- Re: Laptop encryption David Taylor (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Curt Wilson (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Dennis Tracz (Oct 05)
- Re: Laptop encryption Jeff Holden (Oct 05)
- Re: Laptop encryption Bob Ono (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 05)
- Re: Laptop encryption Paul Keser (Oct 05)
- Re: Laptop encryption Sarah Stevens (Oct 05)
- Re: Laptop encryption Eric Case (Oct 05)
- Re: Laptop encryption Harold Winshel (Oct 07)
- Re: Laptop encryption David Kovarik (Oct 08)
(Thread continues...)