Hard Drive Encryption
-
@scottalanmiller said:
@thanksaj said:
Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.
Yes but that's the answer. It's far simpler than adding another drive. It's far simpler than encrypting.
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
-
@thanksaj said:
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.
-
@scottalanmiller said:
@thanksaj said:
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
-
@thanksaj said:
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.
-
@scottalanmiller said:
@thanksaj said:
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.
I wasn't saying your answer wasn't a solution. I'm just saying most people won't go to those measures. However, it is a viable solution.
-
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
-
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
At the point is the OS really that important? If the data volume is encrypted at rest then who cares about the OS which would be generally the same on all the machines? Or does having the OS unecrypted introduce a new attack vector that wouldn't exist if it was encrypted like the data?
-
If someone gets access to the OS there is a chance of gathering data about the system(s) and to get cached credentials to use for offline unencryption attacks.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
I was going to suggest the same thing. My primary device is a laptop with a 500GB drive. I had planned on Dual Booting it; Win 7, Linux, but also wanted a data partition that was accessible to both.
I've used this scheme for a long time. Not always to dual boot but it was the mindset that the data was more important than the OS.. I could toast the OS and not worry about my data UNLESS there was a physical hard drive failure. Which do happen.
Even though many programs default to the OS drive for data, you can modify the registry or program settings to use the data vol and not the OS vol.
TrueCrypt and it's newer variant do wonderful encryption, however if you are having to comply with FIPS 140 - than TrueCrypt doesn't comply. Bitlocker does, as does may others.
-
Doesn't any company offer encryption at the disk or BIOS level? That combined with iLO or the equivalent would do the trick no?
-
Seagate used to have disk level, yes. Not sure how that works in RAID.
-
Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.
-
@Nic said:
Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.
Not that bad. Little different than having it in the OS.
-
As long as they have good tools to decrypt in case of a hardware failure.
-
@Nic said:
As long as they have good tools to decrypt in case of a hardware failure.
Same issues that you have with OS failure or drive failure. Wherever you encrypt you have to be really confident that it won't fail or have a solid recovery method. With a RAID controller, it could be stored both in the controller and on the disk the same way that RAID configuration is.
-
@scottalanmiller said:
Seagate used to have disk level, yes. Not sure how that works in RAID.
Several vendors offer drive level encryption - but like you said, with a RAID controller, the controller would have to know how to take the passwords and pass it along to the drives during boot. So you'd still need iLo for remote work. This is something you'll probably never have on a regular workstation.
-
Another problem with just encrypting the data is forcing all of the data to the right location.
By default Word stores it's files on the C:\users\usernname\documents directory, well that's on the
drive - so now you either have to move the profiles (a problem) or the user has to REMEMBER to put the data in the right place. Also, what about the PageFile? or other temporary files? If you really need to encrypt a system, not encrypting the whole thing seems unlikely to cover everything you're trying to protect.That said, of course encrypted systems are a huge pain to support.
-
@Dashrender said:
@scottalanmiller said:
Seagate used to have disk level, yes. Not sure how that works in RAID.
Several vendors offer drive level encryption - but like you said, with a RAID controller, the controller would have to know how to take the passwords and pass it along to the drives during boot. So you'd still need iLo for remote work. This is something you'll probably never have on a regular workstation.
iLO doesn't solve the problem. The RAID controller must handle it. ILO would only give you visibility into a failed system otherwise.
-
iLo won't let you see what's on screen so you can type in a password?
When I was talking about iLo I was referring to the fact that the RAID controller could possibly pass the password prompt request back to the screen for the user to answer.
Having The RAID controller store the passwords internally would be find, as long as the RAID controller won't do so until after YOU/Admin type in the RAID controller unlock code.
