Software HDD Encryption: Poll
-
@g.jacobse said:
As for Encrypted HDDs I'm not sure I want to go this route as it would mean managing (x) number of devices from the device. I would rather have a central management console so that I can update the password if needed on any given device should the system become compromised. I have enough to do,.. I don't want to keep single managing devices if I don't have to.
What's to manage with FDE Harddrives? The harddrive always encrypt - It's not possible to disable. You can change the encryption key in the bios but then you'd loose access to all data.
-
Nothing would be easier to manage than encrypted drives.
-
@g.jacobse said:
so that I can update the password if needed on any given device should the system become compromised. I have enough to do,.. I don't want to keep single managing devices if I don't have to.
What do you mean by Compromised? if if something gets on the system while it's running (virus etc) it will not see the encryption key. In fact it won't even know the drive is encrypted as the when logged in the files are un-encrypted.
-
Drive encryption is only to protect against hardware theft - of someone pulling drives and running away with them. It has zero protection against compromise.
-
@scottalanmiller
So - Hard drives would be simpler than using a managed console? Where you are able to manage all (x) devices from a central location? Like updating the Admin / User passwords? -
@g.jacobse said:
@scottalanmiller
So - Hard drives would be simpler than using a managed console? Where you are able to manage all (x) devices from a central location? Like updating the Admin / User passwords?Under what circumstance would you ever manage them or change anything?
-
There are a few times;
HDD password compromised by user (shared with someone that doesn't need it)
Defined password / security Policy dictates (not set currently)
IT staff departure -
@g.jacobse said:
There are a few times;
HDD password compromised by user (shared with someone that doesn't need it)
Defined password / security Policy dictates (not set currently)
IT staff departureWhy would a user get an HDD encryption password?
-
@g.jacobse said:
IT staff departure
Why would IT have it? There is no need for that. Use a break glass so that this doesn't happen.
-
Are you looking to have a PW on boot?
-
@g.jacobse said:
Defined password / security Policy dictates (not set currently)
This should be a key so not covered by a password policy.
-
@MattSpeller said:
Are you looking to have a PW on boot?
Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.
-
@g.jacobse Ahhh ok now we're talking the same language.
I'd opt for a BIOS pw - you can set them up with Dells, not sure what you're running. They can also be setup to completely wipe the drive after (10?) failed attempts.
-
HDD encryption is separate from the pw - thats where we were all confused.
-
@scottalanmiller said:
Drive encryption is only to protect against hardware theft - of someone pulling drives and running away with them. It has zero protection against compromise.
What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?
-
@g.jacobse said:
@MattSpeller said:
Are you looking to have a PW on boot?
Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.
HIPAA does not require that.
Are you sure that FIPs requires that? How is it stated?
-
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
-
@MattSpeller said:
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Not really. You only need a post-OS encryption of the data. The OS is like the BIOS here. Just more robust. No need to encrypt that.
-
@MattSpeller said:
You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Other ways to do that.
-
@Dashrender said:
What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?
This is a misconception of value. Likewise to someone "trying to log in", if the entire drive is encrypted what is to prevent someone from "just trying to unencrypt the drive?" All you are doing is exchanging the word used, not the action. You've prevented nothing in this case.
