Laptop encryption

[skulkerboyo]

Oweing to recent mishaps by other organisations and (apparently) pending legislation. My company wants to implement full disc encryption solutions for our 20+ laptop users.

Not sure why I've been handed this one as we have a security guy

Looking at a few solutions and the same names keep coming up. Was wondering what you guys use and why also any pitfalls to look out for?

[Ozzy2k7]

I use whole drive encryption on my laptop, I'm not part of a business that needs it but I travel a fare bit.

I use truecrypt, its free and the guys that do it seem to really know what they are doing. I haven't noticed any performance loss at all.

The only thing with it is that you can't put the laptop into hibernation but I never use that anyway.

http://www.truecrypt.org

Cheers

Ozzy

[skulkerboyo]

Truecrypt is indeed a good solution but for whole disc encryption doesnt support extended/logical partitions which we use here. I'm trying to find software that will encrypt the entire disc regardless of partition layout. We need the transistion to be seamless and to set up encrypted containers and migrate the data to them would take too much time.

Until I found that out it was my first choice but at least I've found something I can use at home

[GiddyG]

Had a look at Becrypt?

[warrmr]

The one we use at work for the wireless laptops in guardian Angel, and on the other contract i worked on they used, Safeguard Easy


they both work very well. i dont know how easy it is to break the encription( thats why we have penn testers im just a support analyst)

the easyest one to support is Guardian angel as if they forget there password you just have to ask them there username and last login date that is printed on the screen put it in a funky piece of software and it comes out wiht a 26 digit code the user needs to type in there laptop to reset the password

where as SGE you need to tell them to press a button to get the password and leave the laptop as it is while you generate the codes

both very simple but im 100% sure that accountants are alot stupider than the police when it comes to IT as the police "just know what to do " and get on with it and accountants winge when you tell them to press buttons and type long strings of numbers in to reset there passwords.

[Bluerinse]

You could use EFS if it's W2K or XP Pro or Vista versions other than the home ones..

http://en.wikipedia.org/wiki/Encrypting_File_System

[NightWalker]

We have just completed a roll out of SafeBoot to all the laptops at work, hundreds of them! For the same reasons as most organisations are implementing encryption on all mobile devices, we don’t want to end up on the nine o’clock news if a user ‘misplaces’ their laptop.

[hbroomhall]

<Dons Mystic Meg outfit>
This will be persued with enthusiasm until a senior director forgets his password....
</>

Harry (the cynic).

[vlb]

hey

i do it for a bank and they use a prog called Pointsec.

you need to login to pointsec before the o/s loads, must be decent as they have used it for aslong as i can remember.

[AJ]

posts merged from duplicate thread

[skulkerboyo]

In the process of evaluating safeboot, pointsec and guardian edge. We need centralised management so these look up to it. I am veering towards safeboot though. Seems very solid

First thing I looked at was EFS but its only file level. We want preboot authentication and total disc encryption

Amen to the enthusiasm until a director forgets his password

Hey Nightwalker any feedback on safeboot. All I've heard is good stuff but wouldnt mind opening a channel of communication with someone that uses it as opposed to a salesman

[NightWalker]

Hey skulkerboyo. Safeboot is actually pretty good. It does complicate the administration a little, users have two lots of passwords to set and remember, their SafeBoot and their domain user account.

Central administration from a server side application (not seen much of that end, the security admin chaps deal with that side of things). The client end is pretty tidy. Its written into the MBR so requires a valid user name and password before windows will boot, then again before you get the Ctrl + Alt + Del screen for windows logon. Once installed on a laptop it will work away in the background encrypting the hard drive, takes about an hour and a half to two hours we found, then they are good to go. The user can still work while its encrypting, the machine is a little sluggish but usable. Hardly any noticeable performance hit once its all installed and enabled. We run mostly HP 4200 and 4400 laptops. You have to overwrite the MBR if you re-ghost the laptop back to a default image, a small extra step.

When they are on the network the current username/password information is synchronised with the server, this can be a bit slow. It depends how often the users are in the office and how often you make the users change the password as to whether this may pose any problems. Users forgetting passwords results in long strings of numbers having to be read out over the phone, but other than that, and considering how intrusive it is to the machine, its been pretty much set it and forget it.

[skulkerboyo]

Sounds good. I like the fact that you can recover the passwords for the user. I have looked at some software that doesnt or that function is provided by their support-naff. Glad to hear about the lack of performance degradation.

I might turn this thread into a rolling blog of the project. This technology is going to become more more commonplace/essential especially with so many endpoint devices being mobile these days.

I've whittled my evaluation software down to 3: Safeboot,Guardianedge and Pointsec. Dont know a great deal about the latter and ruled out double figures worth of software prior to coming to this shortlist.

Nothing to do now but wait for evaluation software

[skulkerboyo]

Have recieved my trials for Safeboot and Guardianedge.

Bit surprised at the minimum requirements to run Gardianedge compared to Safeboot. S'ok though I'll get the intern (he's bloody good) to set me up a virtual server that meets the requirements (distant sound of whip cracking).

Will start looking at them next week