Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×

Open Source Removable Media Encryption? 25

An anonymous reader asks: "I'm trying to find a solution for encrypting removable media connected to my network's computers. Ideally, the solution would: allow Enterprise deployment and configuration in a Windows XP environment; be free and open source; not require administrative privileges to use (encrypt/decrypt files and media); and allow decryption via freely available and platform-independent methods on the destination machine. I've looked at PointSec for Removable Media, but it requires Windows on both ends. I've also looked at TrueCrypt, but it doesn't appear to limit encryption to only removable media (I don't want users encrypting their hard drives). Slashdot, can you help me?"
This discussion has been archived. No new comments can be posted.

Open Source Removable Media Encryption?

Comments Filter:
  • It shouldn't be that hard to add a check to make sure it only encrypts removable media.
  • Why not TrueCrypt? (Score:5, Informative)

    by wuzzeb ( 216420 ) <wuzzeb@@@yahoo...com> on Wednesday August 16, 2006 @12:11AM (#15916648)

    Truecrypt can do exactly what you want. From here [truecrypt.org]

    After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any TrueCrypt volume, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in 'traveller' mode.

    Exactly what you want... when running TrueCrypt in normal user mode, no one will be able to encrypt the hard drive or anything else.

    • and create file-hosted TrueCrypt volumes on the system.

      Fill whole partition with a single file, mount the file as a volume, ignore the physical partition, use the file-hosted volume. The difference between this and encrypting a partition or a harddisk by the user from admin's point of view is moot.
      • Fill whole partition with a single file, mount the file as a volume, ignore the physical partition, use the file-hosted volume. The difference between this and encrypting a partition or a harddisk by the user from admin's point of view is moot.

        I thought that "encrypting a partition" means you encrypt the entire physical partition so that other users cannot use it (or worse, encrypting partitions that contain system programs). If the administrator is afraid that a user will use the entire parti

        • by Vo0k ( 760020 )
          The administrator is afraid the user will encrypt critical company information, holding it ransom or simply forgetting password, and any kind of dangerous and non-job-related data (say, illegal porn) creating danger for the company and making it impossible to verify and find for the administrator. Quotas don't solve the problem because the user should be able to create arbitrarily big files as long as they are job-related, or at least deemed harmless by the administrator. An encrypted volume to which the ad
  • by Schraegstrichpunkt ( 931443 ) on Wednesday August 16, 2006 @12:17AM (#15916666) Homepage

    If it doesn't exist, write it yourself! I recommend you get a copy of Applied Cryptography, and implement 3DES using inner-CBC mode. Oh, also be sure to use lots of ASN.1 encoding everywhere.

    Signed,
    NOT The Government

  • Use hardware encryption on the removable media. You're talking probably USB-sticks anyhow, so use one with fingerprints or (multi-platform) pin codes.

    Or did you mean: Cheap enterprise solution? ;-)
  • Challenger thumbdrive encryption, not checked it out in depth but works for me for those "OMG what if I lost this thumdrive" moments.

    http://www.encryption-software.de/challenger/en/do c_short_manual.html [encryption-software.de]
  • by RedBear ( 207369 ) <redbear@@@redbearnet...com> on Wednesday August 16, 2006 @07:37AM (#15917871) Homepage
    This question comes up every few months here, and as far as I can tell TrueCrypt is really the only solution that even approaches what you and almost everyone else here is looking for. First off it's open source (check), it's under active development unlike many other encryption projects (check), it's already partially cross-platform (semi-check) with plans for a Mac OS X version, and it's the only free, open source encryption software to have a decent GUI, as far as I can tell.

    If you have the backing of a real enterprise organization what you need to do is donate some time and/or money to the TrueCrypt project so that you can get the features you want. At this point there is really only one thing holding TrueCrypt back from becoming as ubiquitous as Firefox, which is that it hasn't yet been ported to Mac OS X and its GUI hasn't been ported to Linux yet. Feature-wise it will do just about exactly what you want, but the project needs resources and programmers to help make it totally cross-platform.

    The day that there is a stable GUI version that runs on OS X, Windows and Linux is the day that you and the rest of us will FINALLY have a solution to cross-platform encryption needs. It will also be the ONLY cross-platform solution available, if current trends continue. Believe me, I have LOOKED, and looked hard, and there is NOTHING on the market that isn't either Windows-dependent on both ends (as you've seen) or some half-assed clunky little command-line program only suitable for statically encrypting and decrypting files (google bcrypt and ccrypt, cross-platform but useless except to a few geeks). TrueCrypt mounts the encrypted file or drive as a drive letter and lets you transparently work with the files without ever writing them to disk in an unencrypted format. Regular users aren't going to accept anything less than TrueCrypt's already proven ease of use.

    Seriously, I can't emphasize this enough. TrueCrypt is your (our) only hope. They are Obi-Wan Kenobi. It's so close to what we all want, and nothing else even compares. Go ahead, keep looking. You won't find anything. If you have some resources behind you, as in money or programmers, aim them square at the TrueCrypt project and get things moving to get it completely cross-platform. The world will thank you and your enterprise needs will be met by free, open source software that will never die or cost you $100 per seat per year. Isn't that worth a little initial investment?
    • TrueCrypt is your (our) only hope. They are Obi-Wan Kenobi.

      I thought Luke was our (your) only hope, not Obi-Wan.
      • TrueCrypt is your (our) only hope. They are Obi-Wan Kenobi.

        I thought Luke was our (your) only hope, not Obi-Wan.


        "Help me, Obi-Wan Kenobi, you're my only hope... pssht-Help me, Obi-Wan Kenobi, you're my only hope... pssht-Help me, Obi-Wan Kenobi, you're my only hope... pssht-Help me, Obi-Wan Kenobi, you're my only hope -pssht... "

        Ring a bell?

        Please hand in your Jedi card and as you leave the building.
        • Oh my. I should have posted that anonymously.

          My penance will be go to back and watch Star Wars 4 through 6 in a loop all weekend.

          Can I re-apply for another Jedi card after?
          • by RedBear ( 207369 )
            My penance will be go to back and watch Star Wars 4 through 6 in a loop all weekend.

            Can I re-apply for another Jedi card after?


            That's no penance, that's a celebration! Unless you meant Episodes 1-3 (movies 4-6). In which case if you survive the weekend you get a lifetime Jedi card... and a free ticket to the local psych ward. Good luck!
  • by CastrTroy ( 595695 ) on Wednesday August 16, 2006 @08:38AM (#15918115)
    The problem with encrypting removable media is a little bit shakey. I'm assuming you want the to encrypt it so they can bring the information home with them. If they aren't bringing it home, you're probably better leaving the data on the computer/network to keep it more secure. However, once they bring it home, and type in the decryption key, any spyware on their home computer is free to read the data just as the user would be free to read the data. Smart spyware would probably actively look for encrypted partitions (although I don't know of any that does), because it's more likely that there is confidential and important information there. Encrypting the media will give you lots of protection if the data happens to go lost, but won't protect you once the user plugs it into a foriegn computer and types the password. You also need the software on every computer, so if you're bringing a presentation on an encrypted drive to a client's office, they need to have the software to read it. Also, remants of the files can be left on the computer in the swap partition, which can be read later if the swap partition isn't encrypted, which is the case with most windows, as well as Linux setups (althought it's quite easy to encrypt your Linux swap partition)

    On a side note, I don't think you have to worry too much about the users encrypting their hard drive if you use truecrypt, because as far as i'm aware, you have to unmount and format the volume in order to encrypt it. I don't think that regular users have that privilege, and I'm not even sure if it's possible with admin privileges, if they only have 1 partition. You can't unmount C: when you only have C:. Same reason why Format C: will not work at the command prompt.
    • CastrTroy raises some very good points: my first thought when I read this thread was "key logger".

      Which raises the issue of key management: if you haven't already done so, check out the standard methods of key management. (Easy mechanism - hire an ex-spook or ex-comsec person for "advice"). Wikipedia has some links - see http://en.wikipedia.org/wiki/Key_management [wikipedia.org]

      If you really want to help, dial in additional factors (RSA's little dongle is an example.)

      You really want to do this in the context of risk man
  • Users will -always- be able to create file-based encrypted partitions (loopback filesystems) using 3rd party software, no matter what -you- use. The way to go is to use truecrypt, then deal with these through company policy and control; you can't prohibit it technically, you must prohibit it legally. Control, deal with violators through disciplinary means.
  • ouch (Score:3, Funny)

    by Sloppy ( 14984 ) on Wednesday August 16, 2006 @10:00AM (#15918804) Homepage Journal
    ..but it doesn't appear to limit encryption to only removable media (I don't want users encrypting their hard drives).

    This constraint is a real bitch, just because it's so arbitrary. If you're really insistent on this, you're probably going to need something specifically customized for you.

    It's sort of like, "I need a great spreadsheet program, but I don't want it to be possible for the users to enter the number 4 into odd-numbered columns."

    • This constraint is a real bitch, just because it's so arbitrary. If you're really insistent on this, you're probably going to need something specifically customized for you.

      Well, as he mentioned, PointSec has a product that does just that, but it's not OSS. It shouldn't be hard to add a patch to trucrypt that adds this as an option. Just forbid the creation of volumes on anything connected to IDE, SCSI, or SATA (or maybe only allow USB). I'm just not convinced their is much demand for that feature outside o

A list is only as strong as its weakest link. -- Don Knuth

Working...