Educause Security Discussion mailing list archives
Re: Whole Disk Encryption
From: "Howell, Paul" <grue () UMICH EDU>
Date: Fri, 13 Jan 2012 11:44:42 +0000
Has anyone implemented WDE across the board, for laptops AND workstations? If so, WRT workstations, what issues have been encountered? ________________________________ Paul Howell University Chief Security Officer Information & Infrastructure Assurance Information and Technology Services The University of Michigan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Alexander Kurt Keller [alkeller () SFSU EDU] Sent: Friday, January 06, 2012 1:04 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller () sfsu edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery – lose the password, lose the data…. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry () murraystate edu Save a tree. Please consider the environment before printing this message. On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson <athompson () berklee edu> wrote: Hi All, Has anyone deployed or has experience with TrueCrypt? If so are you happy with it? Any things you would have changed or pitfalls? Best, Aaron - Aaron Thompson Network Architect for IT Operations Berklee College of Music 1140 Boylston Street, MS-186-NETT Boston, MA 02215-3693 www.berklee.edu 617.747.8656 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Re: Whole Disk Encryption, (continued)
- Re: Whole Disk Encryption Chuck Thomas (Jan 05)
- Re: Whole Disk Encryption Sherry Callahan (Jan 05)
- Re: Whole Disk Encryption Robert Meyers (Jan 05)
- Re: Whole Disk Encryption Valdis Kletnieks (Jan 05)
- Re: Whole Disk Encryption Robert Meyers (Jan 05)
- Re: Whole Disk Encryption Valdis Kletnieks (Jan 05)
- Re: Whole Disk Encryption Dean Halter (Jan 06)
- Re: Whole Disk Encryption Aaron S. Thompson (Jan 06)
- Re: Whole Disk Encryption Drew Perry (Jan 06)
- Re: Whole Disk Encryption SCHALIP, MICHAEL (Jan 06)
- Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
- Re: Whole Disk Encryption Howell, Paul (Jan 13)
- Re: Whole Disk Encryption Tonkin, Derek K. (Jan 13)
- Re: Whole Disk Encryption David Grisham (Jan 13)
- Re: Whole Disk Encryption Aaron S. Thompson (Jan 06)
- Re: Whole Disk Encryption Chuck Thomas (Jan 05)
- Re: Whole Disk Encryption Bradley Jonko (Jan 17)
- Re: Whole Disk Encryption Isabelle Graham (Jan 17)
- Re: Whole Disk Encryption Dexter Caldwell (Jan 17)
- Re: Whole Disk Encryption Michael Sana (Jan 17)
- Re: Whole Disk Encryption Brad Judy (Jan 17)
- Re: Whole Disk Encryption Rich Graves (Jan 17)
- Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)