Full Disk Encryption vs "encrypting just the data disk"....??

["SCHALIP, MICHAEL" <mschalip () CNM EDU>]

Hi folks.....

Apologies for the hijack, but - here's what we're struggling with:  We run Symantec Endpoint Encryption - whole disk - 
only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in 
to the system is more than a lot of folks can handle/manage/understand.  So - the idea has been broached of 
partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an 
encrypted D:/data disk where everyone will need to store their data.  This sounded like a good theory until we were 
told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot 
environment - hence, we may not get any boot time gains.  Which is also driving the discussion toward BitLocker, 
(especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, 
I'm not sure if BitLocker doesn't require the same kind of pre-boot process....??

Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system 
to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability??

Thanks,

Michael



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Grisham
Sent: Wednesday, January 30, 2013 11:35 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Full Disk Encryption and Media Encryption

We are using McAfee Endpoint Encryption which allows us to apply FDE preboot on laptops and were moving toward AutoBoot 
on workstations.
The McAfee endpoint tool allows us to force encryption if anyone wants to write to a USB or optical media. There's a 
lot of options and flexibility.
As we been using EPO for quite a while, management has not been a problem. When we pushed out FDE we had some problems 
because we didn't check the health of the disks on our laptops prior to encrypting and bricked a few.
So take a good look at McAfee endpoint encryption. I know there are other products that others are using and like very 
much also. Cheers.-grish David Grisham, PhD, CISM, CRISC Manager ITSecurity

> > > Jim Furstenbrg <JamesFurstenberg () FERRIS EDU> 1/30/2013 11:22 AM >>>
Full Disk Encryption and Media Encryption

Just wanted to see what vendors (enterprise solutions)  folks are using for FDE and MDE needs. 

 We currently have Checkpoint which is very unfriendly so I am looking at options. 

Any help would be greatly appreciated. 


Thank you.

Jim Furstenberg |IT Security Analyst CISSP, C|EH

"In God we trust, all others bring data."    W. Edward Demmings
_________________________________________________________
Ferris State University  - National Security Agency Center of Excellence
330 Oak St  | Big Rapids, MI 49307
Office: 231.591.5335
Mobile: 231.645.5821
EFax: 888.396.6269
Technical support
or call 231-591-4822 local
or toll free 877-779-4822

--
This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.