Software HDD Encryption: Poll
-
@MattSpeller said:
Are you looking to have a PW on boot?
Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.
-
@g.jacobse Ahhh ok now we're talking the same language.
I'd opt for a BIOS pw - you can set them up with Dells, not sure what you're running. They can also be setup to completely wipe the drive after (10?) failed attempts.
-
HDD encryption is separate from the pw - thats where we were all confused.
-
@scottalanmiller said:
Drive encryption is only to protect against hardware theft - of someone pulling drives and running away with them. It has zero protection against compromise.
What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?
-
@g.jacobse said:
@MattSpeller said:
Are you looking to have a PW on boot?
Yes - Required password on boot. We must adhere to FIPs 140-2 for HIPPA and other compliance items.
HIPAA does not require that.
Are you sure that FIPs requires that? How is it stated?
-
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
-
@MattSpeller said:
@Dashrender If the whole laptop was stolen with full drive encryption then there is nothing to stop them powering it on and trying to log in. You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Not really. You only need a post-OS encryption of the data. The OS is like the BIOS here. Just more robust. No need to encrypt that.
-
@MattSpeller said:
You'd need a BIOS / pre-OS password for that. FDE will make it so the drive is un-readable when you remove it from the laptop.
Other ways to do that.
-
@Dashrender said:
What about cases where the whole laptop is stolen? What prevents someone from just powering on the unit and trying to log in? Or is this not what drive encryption is for either?
This is a misconception of value. Likewise to someone "trying to log in", if the entire drive is encrypted what is to prevent someone from "just trying to unencrypt the drive?" All you are doing is exchanging the word used, not the action. You've prevented nothing in this case.
-
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
-
@MattSpeller said:
@scottalanmiller Sorry, I wasn't clear - there is nothing to stop them powering on the laptop with FDE and trying to log into the OS. FDE is for protection from removal.
Gotcha, so we are of one accord then. It's not for protection from a running system, it's for protection against physical separation from the chassis.
-
I guess then the question would be.... is there a certification requirement that states what to do or just one that states an end goal.
And what is the end goal?
-
Great Question/request @Reid-Cooper .
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
So if FDE does not provide any protections against a whole laptop that is stolen, I'd argue that FDE on a laptop is near useless.
FDE on a memory stick or server drives or copier drives, etc on the other hand are very useful because the chances are you don't have the entire chassis that first encrypted it.
-
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
-
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
-
@Dashrender Yup, plus you disable displaying the last logged in user name. Now the attacker is extra boned.
-
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
FDE isn't needed for that, though. Just encrypt the data.
-
@scottalanmiller said:
@Dashrender said:
I'm guessing the intent of HIPAA's encryption clause is more for protecting stolen machines than for lost/stolen drives.
HIPAA requires encryption of data at rest. That doesn't imply FDE.
Unless the law was updated, I don't think even that is required, but considered actionable.
How is data on a laptop that is turned off not considered 'at rest'?
-
@Dashrender said:
@MattSpeller said:
@Dashrender It provides quite a bit of protection. When you think of how you would break into a bone stock Win machine, my first move is a boot disk to nuke the local admin - denied. Boot a linux live cd to troll the files - denied.
Sure, but you've left a pretty big door open by allowing the OS to be attacked directly. But maybe that's not considered a real risk assuming you're requiring long passwords ?
Not in the least. If your data is encrypted you have no more risk than if you do FDE. Cracking the OS makes no difference if it is properly set up with data encryption.
