Educause Security Discussion mailing list archives

Re: Laptop encryption experiences

From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 16 Nov 2010 17:13:12 -0600

Rich - one reason to consider FDE is compliance related - in
Massachusetts, there is a regulatory requirement to encrypt 
personal data on laptops (and other portable devices)  and in
other states, if the lost/stolen laptop has been encrypted,
then you don't need to notify

Of course. I'm only questioning the strict need to hibernate v. sleep.

Whether you sleep or hibernate, the data are encrypted. The difference lies in key management. If the key might have
been alive in RAM at the time of theft, but had pretty robust OS-level protections, is that non-compliant? What if the
key is stored on a TPM chip, protected by a strong PIN (or no PIN)? What if laptop is powered off but the key is on
disk, protected by a weak password?

Clearly, best practice is to hibernate/power off and require multifactor authentication to release the key, since a
reusable passphrase could be shoulder-surfed by a Hawaiian Hacker or hardware-keylogged by the Evil French Maid or
Tempested by Megamind. Must that be standard practice, though?

I started out requiring hibernation, but people picked up the logon delay (especially with XP) as a rallying cry to
fight any encryption at all. Now I don't, and people are happier, and laptop encryption is accelerating again.

Elsewhere in this thread, regarding loaner laptops:

A couple people have mentioned that they exempt loaner laptops from encryption. If the laptops could never, ever be
used for sensitive data, that's fine; but I know that ours sometimes are. Given that software encryption from scratch
takes several hours, I can think of three options: 1) don't re-image, but use something like revrdist to "clean"; 2)
stock a bunch of pre-imaged hard drives and physically swap; or 3) use "self-enrypting drives" like Opal or Seagate
Momentus. I highly recommend the last. Integral FDE hard drives can be rekeyed in seconds, at which point you simply
re-image. No need to zero data or encrypt in software. WinMagic is one package that can capably manage both software
and hardware FDE. There may be others.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529

Current thread:

Re: Laptop encryption experiences, (continued)
- - - Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
    - Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
    - Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
    - Re: Laptop encryption experiences Rich Graves (Nov 15)
    - Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
    - Re: Laptop encryption experiences Allison F Dolan (Nov 16)
    - Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
    - Re: Laptop encryption experiences randy marchany (Nov 16)
    - Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
    - Re: Laptop encryption experiences Allison F Dolan (Nov 16)
    - Re: Laptop encryption experiences Rich Graves (Nov 16)
    - Re: Laptop encryption experiences Sherry Callahan (Nov 17)
    - Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences A. Harry Williams (Nov 15)
  - Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Patria, Patricia (Nov 16)
  - Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
  - Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
    - Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
    - Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
    - Re: Laptop encryption- Follow-up randy marchany (Nov 17)

(Thread continues...)