ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Software HDD Encryption: Poll

    IT Discussion
    symantec mcafee sophos
    8
    112
    45.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @gjacobse
      last edited by

      @g.jacobse said:

      There are a few times;
      HDD password compromised by user (shared with someone that doesn't need it)
      Defined password / security Policy dictates (not set currently)
      IT staff departure

      Why would a user get an HDD encryption password?

      1 Reply Last reply Reply Quote 1
      • scottalanmillerS
        scottalanmiller @gjacobse
        last edited by

        @g.jacobse said:

        IT staff departure

        Why would IT have it? There is no need for that. Use a break glass so that this doesn't happen.

        1 Reply Last reply Reply Quote 1
        • MattSpellerM
          MattSpeller
          last edited by

          Are you looking to have a PW on boot?

          gjacobseG 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller @gjacobse
            last edited by

            @g.jacobse said:

            Defined password / security Policy dictates (not set currently)

            This should be a key so not covered by a password policy.

            1 Reply Last reply Reply Quote 1
            • gjacobseG
              gjacobse @MattSpeller
              last edited by

              @MattSpeller said:

              Are you looking to have a PW on boot?

              Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.

              MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
              • MattSpellerM
                MattSpeller @gjacobse
                last edited by

                @g.jacobse Ahhh ok now we're talking the same language.

                I'd opt for a BIOS pw - you can set them up with Dells, not sure what you're running. They can also be setup to completely wipe the drive after (10?) failed attempts.

                1 Reply Last reply Reply Quote 0
                • MattSpellerM
                  MattSpeller
                  last edited by

                  HDD encryption is separate from the pw - thats where we were all confused.

                  1 Reply Last reply Reply Quote 0
                  • DashrenderD
                    Dashrender @scottalanmiller
                    last edited by

                    @scottalanmiller said:

                    Drive encryption is only to protect against hardware theft - of someone pulling drives and running away with them. It has zero protection against compromise.

                    What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?

                    MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @gjacobse
                      last edited by

                      @g.jacobse said:

                      @MattSpeller said:

                      Are you looking to have a PW on boot?

                      Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.

                      HIPAA does not require that.

                      Are you sure that FIPs requires that? How is it stated?

                      1 Reply Last reply Reply Quote 1
                      • MattSpellerM
                        MattSpeller @Dashrender
                        last edited by

                        @Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @MattSpeller
                          last edited by

                          @MattSpeller said:

                          @Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                          Not really. You only need a post-OS encryption of the data. The OS is like the BIOS here. Just more robust. No need to encrypt that.

                          MattSpellerM 1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @MattSpeller
                            last edited by

                            @MattSpeller said:

                            You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.

                            Other ways to do that.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @Dashrender
                              last edited by

                              @Dashrender said:

                              What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?

                              This is a misconception of value. Likewise to someone "trying to log in", if the entire drive is encrypted what is to prevent someone from "just trying to unencrypt the drive?" All you are doing is exchanging the word used, not the action. You've prevented nothing in this case.

                              1 Reply Last reply Reply Quote 0
                              • MattSpellerM
                                MattSpeller @scottalanmiller
                                last edited by MattSpeller

                                @scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.

                                scottalanmillerS 1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller @MattSpeller
                                  last edited by

                                  @MattSpeller said:

                                  @scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.

                                  Gotcha, so we are of one accord then. It's not for protection from a running system, it's for protection against physical separation from the chassis.

                                  1 Reply Last reply Reply Quote 1
                                  • Reid CooperR
                                    Reid Cooper
                                    last edited by

                                    I guess then the question would be.... is there a certification requirement that states what to do or just one that states an end goal.

                                    And what is the end goal?

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender
                                      last edited by

                                      Great Question/request @Reid-Cooper .

                                      I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.

                                      So if FDE does not provide any protections against a whole laptop that is stolen, I'd argue that FDE on a laptop is near useless.

                                      FDE on a memory stick or server drives or copier drives, etc on the other hand are very useful because the chances are you don't have the entire chassis that first encrypted it.

                                      MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 0
                                      • MattSpellerM
                                        MattSpeller @Dashrender
                                        last edited by

                                        @Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

                                        DashrenderD scottalanmillerS 3 Replies Last reply Reply Quote 0
                                        • DashrenderD
                                          Dashrender @MattSpeller
                                          last edited by

                                          @MattSpeller said:

                                          @Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.

                                          Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?

                                          MattSpellerM scottalanmillerS 2 Replies Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said:

                                            I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.

                                            HIPAA requires encryption of data at rest. That doesn't imply FDE.

                                            DashrenderD 1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 2 / 6
                                            • First post
                                              Last post