Drive Encryption

Does anyone have a recomendation for a secure open source drive encryption and separately a best practice for drive encryption?  Also for the open source version a way to secure it as I have heard of many vulnerabilities with software based solutions.

Thanks
Jack_son_Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zeshanazizSystem AdministratorCommented:
T r u e C r y p t
TrueCrypt is free open-source disk encryption software for Windows
http://www.truecrypt.org/ 

or

Comodo Disk Encryption
http://www.comodo.com/home/internet-security/disk-encryption.php

Both of these tools are free and very good to use, it will reduce your workload but increase the safety of your set ups.

http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

btanExec ConsultantCommented:
There isnt much open source in this area and Truecrypt is definitely one of the better candidate for consideration. This link has more but some may already be not maintain or turn into commercial
@ http://mareichelt.de/pub/notmine/windows-comparison.html

Also note that Truecrypt did created many interest from researcher to "break" it in past version
@ http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
@ https://www.privacy-cd.org/en/cold-boot-attacks

But I will suggest also to check out FreeOTFE is a free, open source, "on-the-fly" transparent disk encryption program for PCs and PDAs @ http://www.freeotfe.org/features.html

For assurance static code analyser is recommended to parse through the codes to detect any inherent poor coding practices.
Read more
@ http://www.eetimes.com/design/automotive-design/4006735/Integrate-static-analysis-into-a-software-development-process

For some NIST listed tool
@ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html
> Coverity (commercial) and Flawfinder (free)
@ http://www.spinroot.com/static/
> PREfix and PREfast (Microsoft) is also alternative but it would be quite an out dated one but still reliable as it is the concept

Also I will suggest that you check out MS SDL tool for secure development
@ http://www.microsoft.com/security/sdl/getstarted/tools.aspx

Going further if interested, fault injection to force out the "flaw" would be part of the strategy.
Some of them called it simply as fuzzing
@ http://scialert.net/fulltext/?doi=itj.2010.576.582&org=11
btanExec ConsultantCommented:
This link also share a couple of fault injection tools
@ http://en.wikipedia.org/wiki/Fault_injection#Fault_injection_tools

Holodeck  is a test tool developed by Security Innovation that uses fault injection to simulate real-world application and system errors for Windows applications and services. Holodeck customers include many major commercial software development companies, including Microsoft, Symantec, EMC and Adobe. It provides a controlled, repeatable environment in which to analyze and debug error-handling code and application attack surfaces for fragility and security testing. It simulates file and network fuzzing faults as well as a wide range of other resource, system and custom-defined faults. It analyzes code and recommends test plans and also performs function call logging, API interception, stress testing, code coverage analysis and many other application security assurance functions.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

DavidPresidentCommented:
Step back.  It depends on your goal.  If you want to prevent somebody from getting useful information from a stolen HD, or laptop, then some packages are better than others, so best you state your purpose.

If you want to encrypt so erasing disks is not necessary when you get rid of them, then software-based encryption is a poor choice.

If you don't want a performance hit on reads or writes, or have RAID, then just forget any software-based encryption
Jack_son_Author Commented:
Yes, main purpose is to prevent somebody from stealing useful info from a stolen laptop HD.   So software based encryption is a bad choice?
DavidPresidentCommented:
Software based encryption is OK, if and only if you NEVER NEVER NEVER configure it so entering password is automated, and you insure that it will never be stolen in event you hibernate instead of issue a shutdown that clears out RAM.

btanExec ConsultantCommented:
there is always a degree of security level that will commensurate with your risk appetite. For example, if you are looking at military grade or critical infrastructure scenario, they would opt for the most secure that would comprise of not only hardware based security using TPM, specific crypto chipset etc, but also layered with software based access control and protection. Resiliency in those failure point is also of concern.

Of course, if you are looking at enterprise grade, you may not opt for h/w encryption which can be configured to be leveraged upon if it exist. E.g. Truecrypt uses the AES-NI as well as token based authentication. I will see minimally the Authentication should be 2FA (use of smartcard or biometric) for critical server and if TPM is available (most latest notebook already come with it), why not use it (unless performance is the main concern over usability).

Also having accreditation/certification (CC or FIPS) on the crypto does not necessarily mean they are secure regardless they are h/w or s/w, it is the design and implementation that matters. if you use a weak password and no account lockout, dictionary attack and brute force is possible even if you have h/w protection.

This link would be interesting for your information, where Coverity collaborated with Stanford University under a contract with the Department of Homeland Security to harden open source software which provides critical infrastructure for the Internet. There are scan result of the various open source submitted. Check out the FAQ for more details
@ http://scan.coverity.com/rungAll.html
 

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jack_son_Author Commented:
Great info, do these have centralized management or are stand alone?
btanExec ConsultantCommented:
typically for open source there is no centralised management as it required more efforts unless you are talking about open tool for SIEM capability which needed centralised log pulling and correlation. E.g. OSSEC and OSSIM. Of course being open source for truecrypt or FreeOTFE, organisation may use it to extend it further - but contribution back to the community, I am not that sure. Mostly, I see is standalone for the open source.

But if you are really looking at drive encryption especially on removable drive, you may want to consider Ironkey - there is lots of innovation (e.g. integration with open solution such as mokaFive) and as it uses quite a number of open software like OpenSSL, Firefox etc. It does contribute back and stay open (can request for the source). And for Ironkey, there is Enterprise support but I doubt that is open.

See @ http://mktg.ironkey.com/announcements/0108/

But I believe there are central mgmt source but just need integration effort etc. The central mgmt is really for inventorisation and key mgmt but from open source point of view, it is not contributory driven as it would need more effort and focus, hence it warrant commercial entity to take up the role to push forth if needs justified ... open source also goes commercial when product matures ...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Digital Forensics

From novice to tech pro — start learning today.