How To, When You Have To Encrypt Absolutely Everything? 468
Dark Neuron writes "My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything, all hard drives, including desktops, laptops, external hard drives, USB flash drives, etc. I am looking at an open source product for Windows, Mac, UNIX, as well as portable hard drives, but I am concerned about overhead and speed penalties. Does anyone have experience and/or advice with encrypting every single device in a similar situation?"
Re:Yeah... (Score:5, Interesting)
you may want to only encrypt parts of your hard disk as encrypting the whole disk will impact performance.
Yeah, but if you're running Windows, be sure to get the swap file (depending on security concerns, maybe having Win zero the swap file at shutdown might be enough) and all that crap in Documents and Settings. If concerns run to file/folder names, don't forget the MRU lists. I do have a Truecrypt partition, but regularly find bits and pieces of stuff scattered here and there on C: unencrypted.
Win does not segregate data in a helpful fashion. If my security concerns were serious, I wouldn't dare anything less than whole disk encryption. Actually, I'd probably stop using Windows.
Re:Hard Drive Encryption - Theory vs. Reality (Score:1, Interesting)
Let me explain to you how this works
It works exactly like your front door lock: it raises the cost of caring. When it costs $5 for a wrench to find out whats on the drive, you have to care at least $5 to bother trying. Drives and usb sticks will continue to be stolen and resold for their value as storage devices, but anyone wanting to get the information stored on them will have to care a whole lot more than $NZ18 [slashdot.org].
Re:Yeah... (Score:5, Interesting)
How about the following...
"My presentation is on this drive and I forgot the password, get my files for me!"
users dont like it when you say, " sorry, but unless you remember your password all your files on that drive are gone forever."
That stopped it at my last IT gig, I mentioned that response to the CTO and he said...
"oooh, Did not think of that. let's skip encryption."
Re:Yeah... (Score:4, Interesting)
If it's corporate, just make them encrypt it using their key and a corporate master key. Then you can decrypt it using the master key if some boneheaded user loses their key. You should do this anyway to prevent some user from walking with all of their data, and to maintain SoX compliance.
Obviously this will increase the overhead, but frankly, encryption should be used sparingly anyway.
Yellow sticky notes (Score:2, Interesting)
The best encryption/security is most easily foiled by humans:
1. I've seen many username/passwords posted with sticky notes on folks' monitors. Admins are partially to blame by imposing well intentioned, but impractical password rules, resulting in the necessity of users to write that crap down or end up perpetually calling the already overextended IT help desk and being shutdown for hours at a shot to figure out passwords.
2. I've seen combos to classified safes written in pencil behind the "Locked"/"Open" magnetic sticker (well, the digits were swapped, but c'mon!).
3. I've had numerous combos given to me for vaults and safes containing secret level materials that ALL followed a retardly simple pattern, making an 8 digit combo lock (4 two digit numbers) effectively a 2 digit one (XY-YX-XY-00). While convenient, it is stupid, and possibly illegal (not sure how the DOD feels about security folks intentionally dumbing down the security they mandate?).
4. I've had to have our uncleared maintenance dude break into the vault when our crap lock broke AGAIN. Acoustic ceiling tiles really should not be the last line of defense for secret files... We regularly had problems with the combo lock on that door as well, a modest shove would open it, on those occasions it actually latched.
5. I've had the security chick for a vault blow me off after I carefully explained how the combo lock on the vault was busted. It took two more attempts, and several days to get someone else to demand it get fixed (she and I had a mutual dislike, I wonder why...). If someone just entered the vault you could turn the knob and get in without the combo, the lock was not properly resetting.
6. I've seen vaults left with only the cheesy punch code combo lock securing things (nobody in the vault) for hours at a shot on weekends, while the dude responsible was off at an extended lunch. This was SOP. Prior jobs demanded vaults always either have a cleared and authorized individual for that vault inside, or that the real locks be spun. Even for bathroom breaks.
Good looking security with lax culture is worse than weak security with a vigilant user base.
And another thing ... (Score:2, Interesting)
I work in an organization with 10,000+ field offices in the USA. Every office has an encrypted server and POS machine. Then, there are several hundred more encrypted laptops used by the various levels of management from district all the way to division. Also, several (over a hundred) laptops at out headquarters are also encrypted.
The problem is that every one of these must be managed. Each password must be logged and then stored. Each one must be changed every year (right after the annual reviews - hire and fire). Everyone who may reboot the computer must know the password (although you can interact with some programs and pass the password to it before a reboot so the user does not need to know). You cannot install it and think your done. You have just created another point of failure that will generate calls to the helpdesk and add to your total IT overhead via management.
Also, we have had some problems with certain machines not reporting 100% encryption even after weeks of waiting. A full reimage was needed to correct the issue. Just one more piece to watch for - you will have to closely manager the encryption process.
Not truecrypt, compusec (Score:2, Interesting)
I've used both truecrypt and compusec, and for a corporate environment only compusec is acceptable. Truecrypt does not provide a master password you can use to quickly reset a password when the user forgets. Compusec is not perfect, but this single feature makes it "enterprise" ready.
Re:Dont. (Score:3, Interesting)
Re:TrueCrypt or Wait for On Drive Upgrades (Score:2, Interesting)
WTF? If someone steals a computer and puts a drive in another computer the windows/BIOS password won't do shit, encryption will.
Alternatively, if the 3 people that know the password are killed in a fluke traffic accident on the way to work, those won't put you out of business, but encryption will.
Re:TrueCrypt or Wait for On Drive Upgrades (Score:5, Interesting)
In addition, the TrueCrypt user community lately is getting the shaft from the "TrueCrypt Foundation".
Case in point, if you visit their forums, starting about 6 months ago, around the time of release of v6, the forum administrators now delete anything "critical" of TrueCrypt. Basically, your only allowed to discuss the positives of the software, or problems with the intended operation of it. Any "bugs" or "weaknesses" mentioned result in having the thread either locked, more than likely deleted, and if you push an issue, open a second thread on a 'deleted thread' your likely to have your account locked.
5.1a was the last version released before this new policy of "only positives". Not to mention that the forums are already so heavily locked down (No public email addresses to register accounts, no private messages on the board, no threads that are not 'on topic'). Some of us tried (semi-successfully) to have frequent contributors meet over on Wilder's Security forums. (http://www.wilderssecurity.com/) Difficult though since they started deleting our postings since they weren't on topic, and private messages are impossible.
Sadly, as a result of this, I used to heavily endorse TrueCrypt, but I can no longer stand behind them until they let the community get re-involved, for the good and the bad.
Procedure is important (Score:3, Interesting)
I've seen this, too (Score:4, Interesting)
Given how glacially slow IT moves in a university -- and how much buy-in the prima donnas demand for even the slightest decisions -- I'm sure the password topic is still brought up at the weekly meeting.
Security only works if the convenience/security ratio is balanced properly for the environment at hand. At a public university which is used to openness, the "encrypt everything" just wouldn't fly (because that one tenured prof who likes to share and then remote mount his entire C: drive between his office and home over an unencrypted network connection would pitch a fit and kill that plan by fiat). If you work at a security company or bank or the NSA, then I'd suspect you'd have an easier time of it.
-B
Speed in RAID situations (Score:2, Interesting)
centrally managed (Score:1, Interesting)
So we need a system which will let administrators unencrypt *every* hard drive, and reset the users encryption password. Also platform independent. Safeboot is a great centrally managed enterprise system. However, it's Windows-only, although MAC OSX may be just along the pipes. Checkpoint FDE (formerly PointSec) might provide an answer for some. They don't support Debian/Ubuntu however at least when I looked a few months ago.
The native builtin encryption methods for Linux (like cryptfs), seem to require reformatting the disk if you want to do a simple operation like changing the encryption password. Honestly, I don't think there are a lot of great solutions out there yet. More work needs to be done in this area! We need better solutions!
Get professional help - now (Score:3, Interesting)
"My institution has thousands of computers, and is looking at starting an IT policy to encrypt everything"
You're looking at a world of potential support pain. Lost passwords, lost unrecoverable files...
For those advocating Truecrypt, my understanding is that it lacks the enterprise deployment and management tools of something like PGP.
You're talking about a fundamental change in your IT landscape, with significant implications for implementation & support cost. Get help.
Re:TrueCrypt (Score:5, Interesting)
What are you trying to protect and from what? (Score:3, Interesting)
What are you trying to protect?
From what? What attacks? What value does it have to the attacker? What value does the secret hold to you? Who are the attackers?
For example if the value of the secret is low to you, then spending money on protecting it is a waste. Encryption costs to buy, costs to run, costs to manage keys, costs in convenience. eg. (Most secrets aren't worth a trip across town because you forgot your keys once)
If the attackers are internal, (they usually are), then encryption buys you nothing.
If the value of the secret is large and the attackers have physical access, then encryption is the strongest link in a very weak chain.
If many people have access to the secret, then social engineering will weasel it out no matter what your encryption.
If the attackers are evil and powerful, then encryption is a red flag to very Bad Bulls. You better off with more primitive methods that require real humans to eye ball it.
Get these questions lined up and answered before you start.
Ok, I guess "Why?" is late... (Score:3, Interesting)
Ok, so I guess it's pointless to argue the point of "Why encrypt 'everything'?" There are options out there, but I think you're going to be creating an incredible hit on productivity in the institution and a massive support nightmare depending on the size of your site. Also, keep in mind that you will need to establish a tiered encryption system and master keys that will open everything in every department and agency at the highest administrative level of the organization. There will also have to be new physical security practices to make sure the keys don't get into the wild, as well as a rotating scheme for replacing all the keys on a regular basis and updating all masters.
Look, I have been on both sides of this argument and know that there are things that you haven't even thought about from the business practices and risk management angles that will have a tremendous set of REAL costs that are beyond the performance overhead on the computing side of things. This is a horribly bad idea! The Pentagon, CIA and DHS don't encrypt everything for a good reason!
We have same problems... (Score:3, Interesting)
We have many of the same problems where I work in government. I am not sure how the posters work is organized, but I know at least mine seems ass backwards at times. Its a problem of control and responsibility.
I assume at the corporate level they manage our servers and centralized data holdings in a secure fashion with encryption. This also includes some items like individual email stored centrally.
However where I work, everything on your personal computer, which everyone has, is the responsibility of your program, and ultimately the individual to back up.
So in this lunacy you have in some cases triple protected, rotating passwords on systems, yet next to the box is a USB drive that is unsecured, that contains all the data on said system. In a word, stupid.
Part of the problem is the rotating passwords. If you do backup you have to do it manually as when your password changes it will break Microsoft's "Scheduled Tasks" (which requires a password, and it is hardcoded). Centrally they really don't seem to care, as it "is not their problem", that is the users responsibility.
So people being people, and busy at that, most do not back up regularly, and none I know encrypt. Though part of the problem being also that no policy exists that I know of about encryption, which to use, what is acceptable, etc... Franking I don't see IT wanting to create devices they themselves cannot crack as well, which means some kind of backdoor.
Anyway any advice as to product (I hear TrueCrypt mentioned a lot), or a solution to the automation process that doesn't involve A)Super User Privs, or B)Not having pssword changes, as I don't think IT would ever go for either of those. I have looked around online but I have yet to find anything that easily solves this problem. Also changing to Linux is also not an option.. :) I have to work with what I have!
Thin client (Score:3, Interesting)
Especially now that you can reach a good network from almost anywhere in the USA, even while traveling along the road. Being able to work on real data from a social security database while flying on an airplane is simply not a reasonable thing to ask.
Can you not start with a core to your network that includes all the encryption you want and then push outwards as you need to.
Maybe set-up a central server or two that users can VPN into using a thin client. Prohibit wholesale copying of data (sure, they can take a screenshot and paste it into powerpoint, or write some information down off of the screen, but forbid file downloads.
Then, for some of your employees, give them a locked-down environment on their PC that has greater access permissions.
The point being, for many users, thin client may suffice and its much easier to protect. And for those for whom it just won't do, you can spend some more time and education on getting them a solution they can work with and make them aware that by and large sensitive data does not belong on a mobile device.
It's not as if you are going to really encrypt everything anyway - you want people to be able to read printouts !
I imagine that you just want to secure data at rest on your central servers and data on the move between the servers and the clients, except in a very few specific cases.
Re:TrueCrypt (Score:3, Interesting)
Re:TrueCrypt (Score:4, Interesting)
I love xkcd, but Munroe missed a HUGE case (Score:3, Interesting)
You can use drugs and a wrench on a few people. You can't do it to a couple hundred million people. When someone drugs you and hits you with a wrench, you know it happened. Try it on a massive scale and the public will find out and grab wrenches of their own.
That is why hard-to-crack encryption is still incredibly useful. It allows you to deny the enemy the option of attacking undetected.
And that just happens to be a very credible threat. Massive passive surveillance used to be a paranoid imagination by crypto-nerds, but now it's something we've been hearing about in the mainstream news over the last 3 years.
Re:TrueCrypt or Wait for On Drive Upgrades (Score:3, Interesting)
It will error out initially when it can't find a way to pull logs, but now it runs on most systems. Haven't tried it on nvidia boards yet.
Nice thing about it is that it activates all the cpus/cores you have so it makes memory testing that much faster.
Sigh, I wish dell would release the source.
Re:TrueCrypt (Score:1, Interesting)
you can audit TrueCrypt, but nobody has
the closest is people reading the doco on how they chain their cyphers and saying whether their implementation seems correct (or not)
nobody has done a full audit and published the results.
discussion of such issues is also discouraged in the TrueCrypt forums, your posts are deleted by admin and username will be banned without warning (you suddenly get 'forum is down' msgs until you clear your cookies of your username). While the admin != authors, the attitude in the forums is that no criticism of TrueCrypt is allowed.
Re:TrueCrypt (Score:3, Interesting)
What regulators are looking for is an encryption solution whose algorithms have been certified to conform to FIPS 140-2. In general, you should only deploy encryption products in modes that are FIPS 140-2 certified.
The "Common Criteria" EAL levels are more of a measure of the overall quality of a product's security implementation. Typically a full-disk encryption app is certified at EAL level 3 or 4.
If you're using EAL as a decision making point, make sure that you understand how the assurance level was implemented. You may find that only specific configurations meet EAL 4 requirements, so a product at level for may not be any better than a level 3 product in your situation.