Re: Laptop encryption experiences

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Mon, 15 Nov 2010 15:34:55 CST, Rich Graves said:
> > And don't forget that "suspend" or "hibernate" is *not* a power-off.  This
> > is particularly important for those laptop users who almost always suspend,
> > and only actually power off or reboot every few months, if at all.
>
> If your encryption suite synchronizes passwords with login passwords, which
> is true of most; and if you effectively enforce a policy of lock-on-sleep;
> then I'm not sure how much real difference there is.

It's the not-locked-on-sleep case that will burn you.  If you can use GPO or
similar to *force* it, you're probably OK.  The problem starts with laptops
that are under the user's administrative control, not your centralized IT's
control. Then the clever-sheep user has the opportunity to disable
lock-on-sleep without realizing the full security ramifications...

(Go ahead - admit it. You have users that would do that if they could)

Attachment: _bin
Description: