Re: Whole Disk Encryption

[David Grisham <Dgrisham () SALUD UNM EDU>]

We have implemented workstation and laptop WDE using McAfee which
provides central management and reporting. As WDE using LDAP credentials
is not always an option on workstations with a large amount of multiple
users, we are now pushing out file and folder encryption which allows us
to also control USBs and their data leakage.
McAfee's password recovery works well and we have been able to move
that service down to Tier 1 help desk staff.

Cheers --grish
David D. Grisham
David Grisham, Ph.D.,  CISM, CRISC
Manager, IT Security,
UNM Hospitals, IT Division
Suite 3131
933 Bradbury Drive, SE
Albuquerque, New Mexico 87106
Ph: (505) 272-5657 
Department FAX 272-7143, Desk Fax 272-9927


> > > "Tonkin, Derek K." <Derek_Tonkin () BAYLOR EDU> 1/13/2012 8:29 AM >>>
We haven't implemented WDE on all of our workstations but we do have a
significant number of workstations with PGP WDE on them.  We haven't had
any issues particular to workstations.  Early on we had some trouble
with the bootloader not recognizing Bluetooth keyboards but that seems
to have been resolved at this point.  Generally, they have the same
issues as laptops with users forgetting their passphrases and
occasionally having to do drive recoveries when they get a virus that
attempts to change the boot sector or have hardware issues.

-------------Baylor University-------------
Derek Tonkin
Information Security Analyst
Information Technology Services - Security
derek_tonkin () baylor edu        254-710-7061
---------------Sic 'em Bears---------------

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Howell, Paul
Sent: Friday, January 13, 2012 5:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Whole Disk Encryption


Has anyone implemented WDE across the board, for laptops AND
workstations?   If so, WRT workstations, what issues have been
encountered?  


________________________________
Paul Howell
University Chief Security Officer
Information & Infrastructure Assurance
Information and Technology Services
The University of Michigan


________________________________________
From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] on behalf of Alexander Kurt Keller
[alkeller () SFSU EDU] 
Sent: Friday, January 06, 2012 1:04 PM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Whole Disk Encryption

There is a password/data recovery method, but it is process that may be
prohibitively inefficient for larger deployments:

"We use TrueCrypt in a corporate/enterprise environment. Is there a way
for an administrator to reset a volume password or pre-boot
authentication password when a user forgets it (or loses a keyfile)?

Yes. Note that there is no "backdoor" implemented in TrueCrypt.
However, there is a way to "reset" volume passwords/keyfiles and
pre-boot authentication passwords. After you create a volume, back up
its header to a file (select Tools -> Backup Volume Header) before you
allow a non-admin user to use the volume. Note that the volume header
(which is encrypted with a header key derived from a password/keyfile)
contains the master key with which the volume is encrypted. Then ask the
user to choose a password, and set it for him/her (Volumes -> Change
Volume Password); or generate a user keyfile for him/her. Then you can
allow the user to use the volume and to change the password/keyfiles
without your assistance/permission. In case he/she forgets his/her
password or loses his/her keyfile, you can "reset" the volume
password/keyfiles to your original admin password/keyfiles by restoring
the volume header from the backup file (Tools -> Restore Volume Header).
"

--  http://www.truecrypt.org/faq 

Alex Keller
Systems Administrator
Academic Technology, San Francisco State University *Burk Hall 155 *
(415)338-6117 *alkeller () sfsu edu 

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP,
MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Whole Disk Encryption

The biggest drawback for us was no password recovery * lose the
password, lose the data*.

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Whole Disk Encryption

@Aaron,

TrueCrypt is a great product for individual use. But in a larger
environment, it lacks significant enterprise deployment tools. IT staff
can back up the Volume Header of encrypted disks for central management,
but it requires direct contact with each system. There is no support for
remote management, monitoring, or maintenance. Definitely use it at home
and in smaller environments. (For small organizations it's hard to beat
the price.) But I wouldn't recommend it for any type of enterprise
rollout.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry () murraystate edu 

P  Save a tree. Please consider the environment before printing this
message.

On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson
<athompson () berklee edu> wrote:
Hi All,

Has anyone deployed or has experience with TrueCrypt?  If so are you
happy with it?  Any things you would have changed or pitfalls?

Best,

Aaron
-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu 
617.747.8656



--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.

--
This message has been scanned for viruses and dangerous content by
MailScanner, and is believed to be clean.