How To, When You Have To Encrypt Absolutely Everything? 468
Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"
Hard Drive Encryption - Theory vs. Reality (Score:4, Funny)
Let me explain to you how this works. In pictures:
http://xkcd.com/538/ [xkcd.com]
Re:Hard Drive Encryption - Theory vs. Reality (Score:5, Funny)
Of course, if you're using Truecrypt, they won't know when to stop hitting you.
Re:Hard Drive Encryption - Theory vs. Reality (Score:5, Funny)
Yeah...
Encryption will save your and your institution versus legal attacks, but if others' "people" may talk to your "people" with a wrench, then only iron will can save you.
Even biometrics can be fooled (e.g., eyeballs and fingers aren't that hard to remove these days).
ROT 26 (Score:5, Funny)
Tell the suits you are implementing state-of-the art ROT-26 encryption on everything. Take a month off. Come back, pronounce it complete, and ask for a raise.
Re:Key Management (Score:5, Funny)
Re:Have fun with management (Score:5, Funny)
There aren't any tools that manage them centrally and allow for compliance and auditing.
Crap. Has anyone told Google yet? Best get them to switch to Windows quickly!
Re:Key Management? (Score:5, Funny)
To empower individuals to utilize synergistic approaches to achieve goals and exceed expectations. :)
Re:Key Management? (Score:2, Funny)
All keys are '12345'
I have a pdf detailing such a policy (Score:2, Funny)
But I encrypted it and lost the keys.
It was a perfect design and I am sad to have lost it.
PLAESE BACK UP FRIST!!! (Score:5, Funny)
Re:TrueCrypt or Wait for On Drive Upgrades (Score:5, Funny)
Coming from an Org that encrypts everything
Tom Cruise? Is that you?
Re:ROT 26 (Score:4, Funny)
I suggest obfuscating it slightly, pardon the 'irregularities' of my math
ROT-26 Swap 2*13 for 26.
ROT-(2*13) Swap Triskadeca for 13
ROT-(2*Triskadeca) Swap Duplo for 2*
ROT-Duplotriskadeca Add Duplotriskadeca to both sides
ROT = Duplotriskadeca Eliminate
0 = Dupliskadeca Let d = 4; add 1 to each side
1 + 0 = Dupliska(4 + 1)eca = Dupliskaeeca Reorder
1 = cakeisadupel We know that l looks like 1, so go ahead and eliminate.
0 = cake is a dupe
The cake statement is a false, a lie!
Hence we can call this DoublePortal encryption, while knowing we maintained mathematical purity for the name.
Use of this naming convention for ROT(26) will surely be more amenable to the PHBs.
Re:Hard Drive Encryption - Theory vs. Reality (Score:3, Funny)
eyeballs and fingers aren't that hard to remove these days
These days? Bodily mutilation is like the GEICO of injury - so easy, a caveman could do it.
Re:TrueCrypt or Wait for On Drive Upgrades (Score:1, Funny)
The outrageous cost is offensive, but you need to pay to pay in an enterprise environment right now.
Steve Ballmer? Is that you?
Re:Yellow sticky notes (Score:3, Funny)
5. I've had the security chick for a vault blow me
Nice.
Re:Key Management? (Score:3, Funny)
*patents*
Don't do it! (Score:1, Funny)
This is a perfect example of an IT directive to solve a problem that does not exist. Encrypting at the drive level can be useful if your key management is good, but it is not meant to be a catch-all for security. Your best bet is to only encrypt the data that absolutely needs to be. As someone mentioned above, use a thin-client model to keep the complexity low. Use an e-mail client that supports encryption if you must, though e-mail is generally not a safe place for anything secure anyway. Make sure your intranet keeps the browser from caching secure data, and train your staff to store top-secret information on an encrypted document server.
I understand that there is sometimes a need to be paranoid about a stolen laptop, but the XKCD strip linked above is dead on when it comes to what this sort of "security" actually provides. At best it is obscurity. At worst, it slows everyone's life down, bogs down IT support and operations, and chews up funds that would be better used for something like salaries.
Personally, I think we should move away from the dedicated machine model for all employees. It's much less expensive to secure your intranet servers and expose them through secure tunnels through the internet. Now, all your employees need is an abacus with a good battery.
The only free, safe comprehensive solution is. . . (Score:2, Funny)
dl;kjf9s00, so*9fosdikjk oi*5 soej1j2+~. 7dtTk34l ";Leu3*7&.
#@$tjke,
s-=3k,3j
Re:TrueCrypt or Wait for On Drive Upgrades (Score:2, Funny)
Re:Theory vs. Reality - Seriously (Score:2, Funny)
P.S. Just lost Joe from HR... he had an accident while eating a brazil nut.
Re:Theory vs. Reality - Seriously (Score:3, Funny)
OK! OK! Just leave the dog out of it!
The big secret, I mean the one they really keep under wraps to try to keep the nuclear genie in the bottle... Is that plutonium and uranium are delicious. Really, really good - Here in Los Alamos we sprinkle highly enriched uranium on our corn-flakes in the morning - It's a great wake-me-up. Devouring large quantities of uranium (even un-enriched) and then 'processing' it internally is how the slugs are manufactured for gun-type weapons (the enrichment is done in the small intestine). Making an implosion weapon necessitates a circus elephant.
So, now that you know, feel free to go improvise a couple of nukes, just leave the dog alone!