Hard Drive Encryption

scottalanmiller

@thanksaj said:

I agree with Scott's point about encrypting the data drives but not the OS drives. The issue is when you have to encrypt the workstations and there is only one drive. I don't know of a way around this, sadly.

It's as simple as not having just one drive. There is nothing limiting you to a single volume.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

I agree with Scott's point about encrypting the data drives but not the OS drives. The issue is when you have to encrypt the workstations and there is only one drive. I don't know of a way around this, sadly.

It's as simple as not having just one drive. There is nothing limiting you to a single volume.

Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.

scottalanmiller

@thanksaj said:

Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.

Yes but that's the answer. It's far simpler than adding another drive. It's far simpler than encrypting.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.

Yes but that's the answer. It's far simpler than adding another drive. It's far simpler than encrypting.

Yes, I know. Still, it just means extra steps, and many IT guys won't take them.

scottalanmiller

@thanksaj said:

Yes, I know. Still, it just means extra steps, and many IT guys won't take them.

It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

Yes, I know. Still, it just means extra steps, and many IT guys won't take them.

It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.

It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.

scottalanmiller

@thanksaj said:

It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.

But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.

thanksajdotcom

@scottalanmiller said:

@thanksaj said:

It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.

But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.

I wasn't saying your answer wasn't a solution. I'm just saying most people won't go to those measures. However, it is a viable solution.

bsouder

I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?

scottalanmiller

@bsouder said:

I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?

Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.

coliver

@scottalanmiller said:

@bsouder said:

I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?

Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.

At the point is the OS really that important? If the data volume is encrypted at rest then who cares about the OS which would be generally the same on all the machines? Or does having the OS unecrypted introduce a new attack vector that wouldn't exist if it was encrypted like the data?

scottalanmiller

If someone gets access to the OS there is a chance of gathering data about the system(s) and to get cached credentials to use for offline unencryption attacks.

gjacobse

@scottalanmiller said:

@bsouder said:

I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?

Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.

I was going to suggest the same thing. My primary device is a laptop with a 500GB drive. I had planned on Dual Booting it; Win 7, Linux, but also wanted a data partition that was accessible to both.

I've used this scheme for a long time. Not always to dual boot but it was the mindset that the data was more important than the OS.. I could toast the OS and not worry about my data UNLESS there was a physical hard drive failure. Which do happen.

Even though many programs default to the OS drive for data, you can modify the registry or program settings to use the data vol and not the OS vol.

TrueCrypt and it's newer variant do wonderful encryption, however if you are having to comply with FIPS 140 - than TrueCrypt doesn't comply. Bitlocker does, as does may others.

Nic

Doesn't any company offer encryption at the disk or BIOS level? That combined with iLO or the equivalent would do the trick no?

scottalanmiller

Seagate used to have disk level, yes. Not sure how that works in RAID.

Nic

Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.

scottalanmiller

@Nic said:

Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.

Not that bad. Little different than having it in the OS.

Nic

As long as they have good tools to decrypt in case of a hardware failure.

scottalanmiller

@Nic said:

As long as they have good tools to decrypt in case of a hardware failure.

Same issues that you have with OS failure or drive failure. Wherever you encrypt you have to be really confident that it won't fail or have a solid recovery method. With a RAID controller, it could be stored both in the controller and on the disk the same way that RAID configuration is.

Dashrender

@scottalanmiller said:

Seagate used to have disk level, yes. Not sure how that works in RAID.

Several vendors offer drive level encryption - but like you said, with a RAID controller, the controller would have to know how to take the passwords and pass it along to the drives during boot. So you'd still need iLo for remote work. This is something you'll probably never have on a regular workstation.