Full Disk Encryption

[RadiclDreamer]

I have been asked to research a simple and easy to deploy FDE solution. I know about bit locker and its requirements on the OS side (Enterprise, Ultimate etc) and it looks to be a pretty expensive rollout and a slow one at that. I've also looked at things like truecrypt but the time to encrypt the data on several hundred devices seems to be time prohibitive.

My most recent thought is to use the crucial m500 drives and set a bios password, but then each boot the user is prompted for a password and there is no central management.

What do you guys recommend for a simple FDE solution that cost the least in both terms of man hours and cash?

 

[seepy83]

I only have experience with Symantec Encryption Desktop (been using it since it was PGP desktop, prior to Symantec purchasing PGP) and managing it with Symantec Encryption Server (PGP Universal Server). So I can't say, based on experience, how the the rollout would compare to other products in terms of man hours. But, no matter what product you chose, you're going to need to spend the time learning it, configuring the policies however they need to be for your environment, helping users with smartcard enrollment (if you chose to implement smartcard/usb-tokens for 2-factor auth), etc.

As a rough estimate, I think I probably spent 70 hours over a 3-4 week period reading all the documentation and testing a deployment of PGP Universal Server and PGP Desktop before I started to roll it out into production. In my case, that includes being distracted regularly by other projects/problems. If you can focus on it, I think it would be pretty easy to be ready for roll out in 60 hours/8 days without any prior experience with the product. My environment only consists of approximately 40 laptops that are encrypted, but I don't think the amount of time spent learning, building, and testing would have increased significantly if it were for hundreds. If you can implement the same policy for whole disk encryption across all devices, then deployment would obviously take longer that it did for me, but standing up the environment should be basically the same.

Regardless of which product you decide to implement, make sure you run it through its paces before rolling it out. You've got to invest the time in learning how it works and what options you have (or don't have) for recovery if a user forgets their passphrase.

 

[smakme7757]

I have been asked to research a simple and easy to deploy FDE solution. I know about bit locker and its requirements on the OS side (Enterprise, Ultimate etc) and it looks to be a pretty expensive rollout and a slow one at that. I've also looked at things like truecrypt but the time to encrypt the data on several hundred devices seems to be time prohibitive.

My most recent thought is to use the crucial m500 drives and set a bios password, but then each boot the user is prompted for a password and there is no central management.

What do you guys recommend for a simple FDE solution that cost the least in both terms of man hours and cash?

If they are laptops, or desktops with a TPM the BIOS ATA password will be transparent, as in the PC won't ask for it if the system provider has the software to do it. On my current laptop, Dell 6530, i've got a BIOS ATA password set on my Intel 520 SSD.

The boot is fully transparent due to the onboard TPM secureing the keys. I had to set this up with the software provided by Dell (Control Vault), so i'm unsure as to if it's possible with some 3rd party software for a bunch of different machines.

I'm not sure of any tools that will allow company wide rollout of ATA passwords, so it might be more of a slog and a PITA to get going. But the possibility of a transparent boot up is indeed there.

I've also heard that a new version of Microsofts MBAM software for Bitlocker is on the way, which might be something to look at.

http://technet.microsoft.com/en-us/windows/hh826072.aspx

 

[TheRyuu]

I've also looked at things like truecrypt but the time to encrypt the data on several hundred devices seems to be time prohibitive.

Are you not going to run into this same problem regardless of what solution you use?

 

[RadiclDreamer]

Are you not going to run into this same problem regardless of what solution you use?

Well, no not really. If we use OPAL certified drives, from what i have read the encryption is done on the hardware side and the software manages it.

 

[DaveVandorAmon]

Is your question primarily grounded in operations or security?

Is it more of a which product is better for protecting data or which is the easiest to hit the ground running with to satisfy a compliance requirement?

Any tool rolled out will take time and planning, as well as the learning curve of introducing it. This is highly dependent on how many devices you plan to encrypt, as well as how you plan to manage it.

If you're a small shop and not worried about key management or recovery, TrueCrypt with provisioning of recovery keys could work well if you had the means to script and deploy it.

OPAL compliant hardware generally requires some sort of existing Key Management Infrastructure or Centralized Management interface - (McAfee ePO/EEPC, PGP Universal, Sophos SafeGuard, etc.) so it still doesn't address the higher level of how it gets done/managed as part of a standardized process or lifecycle.

Before you plan to encrypt data - do you have an end-user backup strategy in place? Our chief issue with the encrypted drives is once they fail, we can't recover the data from them as we used to be able to internally.

Also how will this affect turnover and data recovery? Are your users going to be the keepers of their own passwords? What if they forget it, are hit by a bus, or walk-out?

BitLocker would be expensive if you do not have an Enterprise license or access to use Enterprise.

I think they underestimated that this would be simple and easy to do. In actuality our FDE project took about 2 and a half years (mind you this is considering several tens of thousands of machines) and we're still doing it. Since then, that project has opened up insufficiency in other areas that it touched.

More specifics on the environment and industry could help.