Re: Laptop encryption experiences

[randy marchany <marchany () VT EDU>]

I've mentioned this before but it seems appropriate to mention again since
this thread has reappeared.

1. Whole disk encryption (WDE) aka Full Disk Encryption (FDE) only protects
your data if a) the system has been
    powered off b) an unauthorized person is trying to boot up your system
c) someone steals the drive & is
    trying to boot it up.

2. WDE/FDE will not protect your sensitive data if an application or user is
able to access your "sensitive"
    files. This means you have to carefully control the
read/write/modify/delete permissions on your files.
    If you download a piece of malware and it executes, it will run with
your perms and will be able to access
    any of the files you can access. Web based malware (code that gets
downloaded and executed on your
    system) is the major threat vector.

Does this mean you shouldn't use it? No, it's still a very important
component. However, you do need additional encryption controls to really
ensure you're protecting the sensitive files on your computer. I have some
more thoughts on this at
http://randymarchany.blogspot.com/2010/05/securing-sensitive-data-issues.html

Just my .02.

Randy Marchany
VA Tech IT Security Office & Lab