Educause Security Discussion mailing list archives

Re: Whole Disk Encryption

From: Brad Judy <win-hied () BRADJUDY COM>
Date: Tue, 17 Jan 2012 16:43:30 -0500

I don't know about FileVault, but since BitLocker relies on a TPM chip to
protect the decryption keys, I expect it would meet this requirement.  

 

Brad Judy

 

Emory University

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Sana
Sent: Tuesday, January 17, 2012 4:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

Aloha,

 

I remember some years back that using native file encryption on machines
within scope could possibly violate PCI requirements under section 3.  

 

3.4.1 If disk encryption is used (rather than file- or column-level database
encryption), logical access must be managed independently of native
operating system access control mechanisms (for example, by not using local
user account databases). Decryption keys must not be tied to user accounts. 

 

Just something to think about.  I am definitely  NOT a QSA, so if someone
could shed some light on the situation or elaborate, that would be great.  

 

mike.sana.

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bradley Jonko
Sent: Tuesday, January 17, 2012 11:17 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

We currently have PGP (now Symantec) deployed for Windows and Macs, but are
desperately looking to move away from PGP in favor of the native solutions
(Bitlocker and Filevault). We have been running up against user backlash
from the long delays for major OS patching (mostly on the Mac side), which
has lead to some users outright removing their encryption.

 

 

The largest obstacle that our IT folks are worried about if we move to the
native encryption is recreating the password recovery mechanisms that are
built-in to most of the commercial products.

Has anyone implemented a key escrow/password recovery solution for
either/both of the native encryption solutions? If so, was it a homegrown
solution?

 

 

Thank you,

Brad Jonko

Information Security Office

Stanford University

jonko () stanford edu

650.724.2822

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

The biggest drawback for us was no password recovery - lose the password,
lose the data..

 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,

 

TrueCrypt is a great product for individual use. But in a larger
environment, it lacks significant enterprise deployment tools. IT staff can
back up the Volume Header of encrypted disks for central management, but it
requires direct contact with each system. There is no support for remote
management, monitoring, or maintenance. Definitely use it at home and in
smaller environments. (For small organizations it's hard to beat the price.)
But I wouldn't recommend it for any type of enterprise rollout.


Drew Perry
Security Analyst
Murray State University
(270) 809-4414
 <mailto:aperry () murraystate edu> aperry () murraystate edu

 

P  Save a tree. Please consider the environment before printing this
message.

 

On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson <athompson () berklee edu>
wrote:

Hi All,

 

Has anyone deployed or has experience with TrueCrypt
<http://www.truecrypt.org/> ?  If so are you happy with it?  Any things you
would have changed or pitfalls?

 

Best,

 

Aaron

-
Aaron Thompson

Network Architect for IT Operations

 

Berklee College of Music         

1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693


www.berklee.edu

617.747.8656

 

 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean. 


-- 
This message has been scanned for viruses and 
dangerous content by  <http://www.mailscanner.info/> MailScanner, and is 
believed to be clean.

Current thread:

Re: Whole Disk Encryption, (continued)
- - - Re: Whole Disk Encryption Drew Perry (Jan 06)
    - Re: Whole Disk Encryption SCHALIP, MICHAEL (Jan 06)
    - Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
    - Re: Whole Disk Encryption Howell, Paul (Jan 13)
    - Re: Whole Disk Encryption Tonkin, Derek K. (Jan 13)
    - Re: Whole Disk Encryption David Grisham (Jan 13)
    - Re: Whole Disk Encryption Bradley Jonko (Jan 17)
    - Re: Whole Disk Encryption Isabelle Graham (Jan 17)
    - Re: Whole Disk Encryption Dexter Caldwell (Jan 17)
    - Re: Whole Disk Encryption Michael Sana (Jan 17)
    - Re: Whole Disk Encryption Brad Judy (Jan 17)
    - Re: Whole Disk Encryption Rich Graves (Jan 17)
    - Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
- Re: Whole Disk Encryption Maloney, Michael (Jan 19)