Management suite for desktop encryption

Hi Tolomir.
I just finished reading the product description. The descr. could not tell if my first 3 requirements are met - do you know if they are met? I am hesitant to contact them at once because it will take a while to find someone that is able to tell.

1st:  Strong Authentication Policy    
DriveCrypt Plus Pack Enterprise allows administrators to enforce strong authentication via custom-defined password policies, admin defined password restrictions and supports smartcards (PKCS #11)  for two-factor authentication.

2nd: Offline Password Recovery
    DriveCrypt  Plus Pack Enterprise provides offline password recovery. In the event a user forgets his or her password or is not able to successfully authenticate, an administrator controlled recovery code can be generated and used.

 On Demand Encryption & Decryption
 DriveCrypt Plus Pack Enterprise allows administrators to encrypt and decrypt machines by group or individually. Drive status is clearly displayed for an at-a-glance perspective and is also detailed in the reports section.

3rd: Did just use the drivecrypt version on my computer, there is no need for a TPM  encryption chip. but if you like you can use an USB token:
http://www.securstar.com/products_usbtoken.php

4th: Sorry no Linux support. Pick you poison from http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software (mostlikely truecrypt)

---

I would suggest to use truecrypt for an all plattform solution, but then you got no centralized management (+policy)

Tolomir

Seagate Momentus drives (laptops currently) are universal as their preboot authentication is OS independent. McAfee can manage Momentus drives, as well as other 3rd parties like Wave Systems can as well: http://www.wave.com/products/tdm.asp

PGP is another, and probably considered the defacto standard, but is very pricey by comparison, but works on all major OS's (Mac/M$/*nix)
CheckPoint PointSec Full Disk Encryption is very well priced and fits all the criteria you've asked about:
http://www.checkpoint.com/products/datasecurity/pc/index.html

Changing the password often is probably not a necessary step, it's an antiquated practice that has it's roots in the unix (crypt), windows 9x and windows NT passwords, all of which were very easy to crack... well 9x was encoding and not even considered encryption... nonetheless it's a practice that is good to use on short passwords, but if you require a password of a good length like 10 or more characters with case variances I feel your very secure. We require 15 at a minimum wherever possible in our Lan. http://www.wired.com/politics/security/commentary/securitymatters/2007/01/72458

TrueCrypt is also a fine choice but as stated above, has no centralized management, and does not force the user to change the password, however it does default to requiring a 20 or more character password length. We have Government contracts that subject us to quarterly audits and we have to make a case every time for not requiring passwords to change more often.
-rich

@Tolomir: I already read that, it does not really answer 1 and 2.
1) What do these policies consist of? Do passwords expire?
2) Recovery was not the question, do admins get a pw that can unlock all workstations for maintenance tasks? This is the most important aspect.

@Richrumble:
What McAfee product are you talking about? Do you use it and does it fulfil the above criteria?
Same for "PGP".

Thanks

I guess you have to talk to a technican from securstar. As said, I don't use that tool in my office.

http://www.securstar.com/contact.php

McAfee's EPO manager is supposed to manage Seagate Momentus Laptop drives, but it's only something our McAfee rep mentioned to us afew times. We've used the Wave Systems product for about a year, it's ok but a little steep in price, so we switched to PointSec and are happy with the results. Both products we've used allow the changing of the passwords but require the entire encryption process to be done again, which is ok because it can take place in the background.
http://www.seagate.com/ww/v/index.jsp?locale=en-US&name=null&vgnextoid=eac9eedc1278d110VgnVCM100000f5ee0a0aRCRD
I don't see it on mcafee's site, but I was told it does intergrate with ePO.

Again I don't think one needs to change the boot password often if it's long enough. Even all 20 one's can be harder to brute force than most users passwords (11111111111111111111) Most bruteforcers start low and go high, when you get to about 10 alpha-numeric characters using a few PC's makes brute force almost statistically impossible in a life time.
-rich

Rich, can you provide the rough cost estimation I was looking for for the products you used/are using? 50 windows boxes.
Also I really need info about the ability of creating a master password (no recovery password for single drives but for all, allowing the admin to boot the system)
Even if you think it's of no relevance maybe you can answer if the mentioned products (the Wave systems one, and the Pointsec one) can force users to change their passwords.
Also [attention, new aspect ;)], is there a management suite you know that can temporarily disable the need of a password network wide? This would be very useful in some maintenance situations.

> Pointsec is able t use Active Directory for login
So Pointsec does or does not use PBA? I guess not, right?

Check it out, http://www.blackfistsecurity.com/2009/02/pointsec-video-windows-integrated-login.html

Also see page 10: http://www.google.com/url?q=http://security.ucsf.edu/EIS/2677-DSY/version/3/part/4/data/Pointsec%2520Administration%2520Guide.pdf%3Fbranch%3Dmain%26language%3Ddefault&sa=U&ei=o9S3SqrkF6my8QaLqZTPCw&ct=res&cd=1&usg=AFQjCNF-hGIMMOI5fwgtHSlNgCDpdb-wcQ
-rich

Sorry that video was wrong, http://www.svit-it.com.ua/checkpoint_screen/Pointsec_PC_Admin_Guide.pdf
page 179, synchronizing windows and pointsec passwords... sorry about that. There are a few options available with pointsec including one-time passwords and various recovery scenarios.
-rich

Folks, I let you waiting because the sales representative for checkpoint is kinda slow. While the secustar people have literally answered all questions within minutes after using their online request template, the local distributor of checkpoint leaves us waiting for a price, the rest is answered more or less.
Secustar - looks good, seems to be suitable for all of our needs and costs about 75¬ per seat.
Checkpoint - also looking good, but I finally will be able to tell after phoning them.

I will reward you now and maybe comeback later to tell you the end of the story.
Thank you!

Thanks! Looking forward to your findings.
-rich

Months later...
Hi, I'm back. We are about to finish our evaluation.
Secustar is not capable of using single sign on on 64 bit machines which was a k.o. criterion.
Checkpoint FDE looks great in every respect.

Rich, if you allow for one more question:
have you a concept ready for recovery of encrypted machines, that is for machines that are broken and need to have the latest system image applied?

Yes, decryption of the HD if the OS should fail to boot properly is easy, remove the HD's, use a usb to IDE/SATA converter like this one: http://www.newegg.com/Product/Product.aspx?Item=N82E16812119244 and open PointSec, using the recovery console and password you'll be able to read the drives contents, as long as the drive is functional.
http://www.google.com/search?q=pointsec+slave+drive+recovery page 13 I think in one of those PDF's explains how to do it. You can also use boot disk's, but I like the slave drive method.
-rich

I was looking for a concept to apply an image to an encrypted harddrive with the least effort.
Happy easter!