PaulDotCom mailing list archives
Enterprise Full Disk Encryption
From: fmadvocate at gmail.com (Frank Mileto)
Date: Tue, 4 Nov 2008 16:26:49 -0600
I don't think you need to set a static password. this is from truecrypt's FAQ http://www.truecrypt.org/faq.php *Q: We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)?* A: Yes. Note that there is no "back door" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles<http://www.truecrypt.org/docs/?s=keyfiles>and pre-boot authentication <http://www.truecrypt.org/docs/system-encryption.php>passwords. After you create a volume, back up its header to a file (select *Tools* -> *Backup Volume Header*) before you allow a non-admin user<http://www.truecrypt.org/docs/?s=administrator-privileges>to use the volume. Note that the volume header <http://www.truecrypt.org/docs/?s=volume-format-specification> (which is encrypted with a header key<http://www.truecrypt.org/docs/?s=header-key-derivation>derived from a password/keyfile) contains the master key <http://www.truecrypt.org/docs/?s=encryption-scheme> with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (*Volumes* -> *Change Volume Password*); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (*Tools* -> *Restore Volume Header*). Similarly, you can reset a pre-boot authentication<http://www.truecrypt.org/docs/?s=system-encryption>password. <http://www.truecrypt.org/docs/?s=system-encryption>To create a backup of the master key data (that will be stored on a TrueCrypt Rescue Disk<http://www.truecrypt.org/docs/rescue-disk.php>and encrypted with your administrator password), select ' *System*' > '*Create Rescue Disk*<http://www.truecrypt.org/docs/?s=rescue-disk>'. To set a user pre-boot authentication<http://www.truecrypt.org/docs/?s=system-encryption>password, select ' *System*' > '*Change Password*'. To restore your administrator password, boot the TrueCrypt Rescue Disk, select '*Repair Options*' > '*Restore key data*' and enter your administrator password. Note: It is not required to burn each TrueCrypt Rescue Disk<http://www.truecrypt.org/docs/rescue-disk.php>ISO image to a CD/DVD. You can maintain a central repository of ISO images for all workstations (rather than a repository of CDs/DVDs). For more information see the section Command Line Usage<http://www.truecrypt.org/docs/command-line-usage.php>(option */noisocheck*). HTH Frank Mileto On Tue, Nov 4, 2008 at 3:07 PM, xgermx <xgermx at gmail.com> wrote:
If we did end up using TrueCrypt, users would be assigned static passwords (which the IT staff would have stored in and encrypted file). That would at least eliminate people forgetting their password. 2008/11/4 Tim Krabec <tkrabec at gmail.com>:Securitycatalyst.org/forums has a few topics on it. I know several ofthepeople there have implemented or are implementing FDE on several (50+) machines here is one of the threads http://www.securitycatalyst.org/forums/index.php?topic=193.0 (you needto belogged in) On Tue, Nov 4, 2008 at 10:39 AM, xgermx <xgermx at gmail.com> wrote:I'm getting bids from HP and Dell on laptops (about 100). Does anyone have experience with their respective full disk encryption solutions? The reps I've talked too (from both companies) can't really give me the technical information that I want, and the information on both websites is outdated (2007). I've also considered going with TrueCrypt (I have the most experience with this and it's free, but there's not a good way to centrally manage it). Your thoughts? _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20081104/6aacdd1e/attachment.htm
Current thread:
- Enterprise Full Disk Encryption xgermx (Nov 04)
- Enterprise Full Disk Encryption Tim Krabec (Nov 04)
- Enterprise Full Disk Encryption xgermx (Nov 04)
- Enterprise Full Disk Encryption Adese (Nov 04)
- Enterprise Full Disk Encryption Raffi Jamgotchian (Nov 04)
- Enterprise Full Disk Encryption Bugbear (Nov 04)
- Enterprise Full Disk Encryption Tim Krabec (Nov 04)
- Enterprise Full Disk Encryption Chris Biettchert (Nov 04)
- Enterprise Full Disk Encryption xgermx (Nov 04)
- Enterprise Full Disk Encryption Frank Mileto (Nov 04)
- Enterprise Full Disk Encryption Tim Krabec (Nov 04)
- <Possible follow-ups>
- Enterprise Full Disk Encryption Kennith Asher (Nov 04)
- Enterprise Full Disk Encryption Matt Lye (Nov 04)
- Enterprise Full Disk Encryption Arch Angel (Nov 04)
- Enterprise Full Disk Encryption xgermx (Nov 05)
- Enterprise Full Disk Encryption Matt Lye (Nov 04)