Educause Security Discussion mailing list archives
Re: Laptop encryption experiences
From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 16 Nov 2010 17:13:12 -0600
Rich - one reason to consider FDE is compliance related - in Massachusetts, there is a regulatory requirement to encrypt personal data on laptops (and other portable devices) and in other states, if the lost/stolen laptop has been encrypted, then you don't need to notify
Of course. I'm only questioning the strict need to hibernate v. sleep. Whether you sleep or hibernate, the data are encrypted. The difference lies in key management. If the key might have been alive in RAM at the time of theft, but had pretty robust OS-level protections, is that non-compliant? What if the key is stored on a TPM chip, protected by a strong PIN (or no PIN)? What if laptop is powered off but the key is on disk, protected by a weak password? Clearly, best practice is to hibernate/power off and require multifactor authentication to release the key, since a reusable passphrase could be shoulder-surfed by a Hawaiian Hacker or hardware-keylogged by the Evil French Maid or Tempested by Megamind. Must that be standard practice, though? I started out requiring hibernation, but people picked up the logon delay (especially with XP) as a rallying cry to fight any encryption at all. Now I don't, and people are happier, and laptop encryption is accelerating again. Elsewhere in this thread, regarding loaner laptops: A couple people have mentioned that they exempt loaner laptops from encryption. If the laptops could never, ever be used for sensitive data, that's fine; but I know that ours sometimes are. Given that software encryption from scratch takes several hours, I can think of three options: 1) don't re-image, but use something like revrdist to "clean"; 2) stock a bunch of pre-imaged hard drives and physically swap; or 3) use "self-enrypting drives" like Opal or Seagate Momentus. I highly recommend the last. Integral FDE hard drives can be rekeyed in seconds, at which point you simply re-image. No need to zero data or encrypt in software. WinMagic is one package that can capably manage both software and hardware FDE. There may be others. -- Rich Graves http://claimid.com/rcgraves Carleton.edu Sr UNIX and Security Admin CMC135: 507-222-7079 Cell: 952-292-6529
Current thread:
- Re: Laptop encryption experiences, (continued)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Tonkin, Derek K. (Nov 15)
- Re: Laptop encryption experiences SCHALIP, MICHAEL (Nov 15)
- Re: Laptop encryption experiences Rich Graves (Nov 15)
- Re: Laptop encryption experiences Valdis Kletnieks (Nov 15)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Mclaughlin, Kevin (mclaugkl) (Nov 16)
- Re: Laptop encryption experiences randy marchany (Nov 16)
- Re: Laptop encryption experiences Joel Rosenblatt (Nov 16)
- Re: Laptop encryption experiences Allison F Dolan (Nov 16)
- Re: Laptop encryption experiences Rich Graves (Nov 16)
- Re: Laptop encryption experiences Sherry Callahan (Nov 17)
- Database Encryption for HIPAA Patria, Patricia (Nov 18)
- Re: Laptop encryption experiences James Farr '05 (Nov 15)
- Re: Laptop encryption- Follow-up Basgen, Brian (Nov 16)
- Re: Laptop encryption- Follow-up James Farr '05 (Nov 16)
- Re: Laptop encryption- Follow-up Dave Koontz (Nov 16)
- Re: Laptop encryption- Follow-up SCHALIP, MICHAEL (Nov 16)
- Re: Laptop encryption- Follow-up randy marchany (Nov 17)