Re: Stolen laptops and the Windows encrypted file system?

[coderman <coderman () gmail com>]

On 3/29/06, Henderson, Dennis K. <Dennis.Henderson () umb com> wrote:
> Another solution would be to allow people to store their EFS encryption keys on a separate device such as a USB flash 
> drive.
>
> I also believe that an encrypted folder on a portable hard drive would be safe if it is carried separatly from a 
> laptop which holds the EFS encryption keys.
>
> ...
>
> The nice thing about PreBootAuth and full disk encryption is that you dont have to worry about having another device 
> to lose along with the laptop. Its an option with most full disk encryption products, but I wouldnt deploy that given 
> how convenient it would be to simply toss the smartcard or fob into the laptop case.


what would it take to get johnny teenager / sally CEO to encrypt?

can this be made simpler / more compelling?

0. insert new second disk of equal or greater size
1. boot from trusted cd/dvd ISO image
2. insert USB memory stick (or two if you want a backup)
3. enter new password / passphrase (see good password howto)
4. agree/confirm to copy over empty / target disk
5. wait as new disk is encrypted via loop-aes, keys are stored on
password protected USB image, all existing OS data* on source disk is
copied to encrypted volume on new disk.
6. reboot into new encrypted volume and copy back over original source
hard disk with loop-aes and store keys for this disk on USB image.
7. Johnny gets a data backup with his privacy.

* ubuntu, knoppix, slackware, linspire and centos supported.  a
windoze or other partition (vfat, ntfs, etc) can be copied and mounted
under a new installation of the previously mentioned linux OS'es on
the new encrypted disk. (if one of these linux flavors is not already
installed)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.