Solved

What computer encyrption software do you use and why?

Posted on 2011-09-29
32
4,275 Views
1 Endorsement
Last Modified: 2015-02-10
Anyone ever frustrated you can't search google for unbiased software reviews? The results almost always come back with websites that have a financial incentive to give a particular product a positive review. They look like trustworthy reviews but you quickly see ads, referral links, fake blogs, etc.

So I'm asking here:

My company has tasked me with looking into rolling out encyrption software for the workstations and laptops. Initially it may just be a few people, but if it gains traction it could be more widespread (by which I mean up to 50).

The first person to get it will be the CEO, who just had his car broken into and his laptop stolen. I've been telling them for years they need more protection. I'm going to start preaching the use of Keypass or some other password encryption software at a minimum so they don't keep password anywhere. The only program I've heard of is TrueCrypt and symantec's product. I'm leary of TrueCrypt because we're a small business and we want the ability to call support for any issues.

Please give a brief reason why and what typical costs can be expected if you don't mind.

This is for Windows XP, Vista, and 7.

Thanks!
1
Comment
Question by:MrVault
  • 11
  • 9
  • 7
  • +5
32 Comments
 
LVL 10

Expert Comment

by:SuperTaco
ID: 36818834
For non windows7 machines I have always used AXCRYPT.  It was trusted by my first company I did security for who is a huge Govermetn contractor.  in the private sector on windows 7 machines I use the incumbent bitlocker.  It's free and pretty easy.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36819101
bitlocker for windows 7 machines, truecrypt for stuff I want to keep private
0
 
LVL 3

Accepted Solution

by:
LinuxNinja earned 125 total points
ID: 36885132
http://www.truecrypt.org/ is the best solution out there if you're not running Windows 7 Pro or higher (which includes bitlocker). If you can use bitlocker, it's already built-in to Windows. There are some gotchas that you can quickly figure out about bitlocker by doing some reading, but I like going the 3rd party route with Truecrypt. Make sure you backup everything before applying encryption no matter what.
0
 
LVL 91

Expert Comment

by:nobus
ID: 36890071
i can recommend bestcrypt : http://www.jetico.com/encryption-bestcrypt/
it has a good support
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36891707
Its a case of horses for courses, really.

First step is - what comes with what I already have? Bitlocker can be pretty secure, most email packages support s/mime, etc etc - anything that "just works" with what you have on your pc already is a win (provided you consider it secure)

Second question is therefore always - how do I *know* its secure? because stuff like Bitlocker is designed for corporate recovery, is dependent on TCM tech if present, and against attackers with the right preknowledge could well be about as secure as swiss cheese - there is no way to know. I prefer open source (which I can check) against closed source (which I can't) for exactly that reason.

Third question should be - who has to decrypt this? if its you, then its simpler; if it isn't, you need to find out what they can support and are willing to use, and make a choice from that list.

however, some choices are:

truecrypt - can't rate this highly enough, its rock solid, just a very limited problem domain

s/mime - built into near on everything, PKI based (so your recipient needs to send you their key first) but solid enough.

pgp (gpg) - early adopter, another PKI solution, almost nobody supports it. Good in its problem domain, supports both file and email encryption.

7-zip - good solid free package. Allows a great deal of deniability (having encryption software on your machine may be considered evidence of an intent to conceal; having zipfile software is pretty much expected) and supports the winzip encryption method for compatibility with other users. good solid product, and can be used to make self-decrypting archives (exe file, just add password)

0
 

Author Comment

by:MrVault
ID: 36891953
Thanks guys. Thanks Dave for detailed analysis.

Question - does TrueCrypt have technical support for any issues?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36892195
Only community support - they don't even offer you paid support if you ask (which is a puzzle; most open source projects with dedicated developers offer paid support above-and-beyond the community stuff in order to get funds into the project. Truecrypt don't)

So if you break it, you get to fix it yourself (or ask for help on the forums)
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36892219
There are plenty of commercial hard drive encryption products, with or without central management, if you want to go that path.  Be aware though, anything that means the company can "recover" your encrypted volume on demand, means that the police (or a hacker who gets lucky) can do so too.
0
 

Author Comment

by:MrVault
ID: 36894302
Thanks. I have too many people pulling at me to not have a product with dedicated technical support, especially those I call on the phone.

Anyone ever used Symantec's PGP encryption product? We used that at a government contractor I used to work for. I didn't manage it but it seemed to work well.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36894912
with truecrypt if there ever was a problem there would be a howl in the forums and you'd know about it very quickly..

Symantec et al took a great free program that the author had legal problems with (it was classified as a munition and the US government was not happy with him) and now made it very pricy.. Barebones PGP is $176/user and hard disk encryption is on top of that!
0
 
LVL 18

Expert Comment

by:centerv
ID: 36895166
For laptops you may want to look at LoJack

http://www.absolute.com/en/lojackforlaptops/home.aspx
0
 

Author Comment

by:MrVault
ID: 36895414
Thanks. Didn't realize lojack existed for computers.

that's interesting about symantec. i heard it was one of a few gov't approved encryption apps. I wonder if that's not a coincidence.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36897812
@ve3ofa

I would probably argue the point. PGP was *(never)* free - there was a "no commercial use" version which used the rsaref libraries, and a commercial version (bestcrypt, iirc) which was us only and for commercial use (not that that stopped much; the UK government, for example, bundled 2.6.2 with some of its early "online tax submission" apps)

later versions (and I have 6.5.8 here, full boxed copy, so I could use the ckt builds) were commercial (again) and owned by pgp inc. pgp inc was in turn originally set up and owned by phil (who wrote pgp from 1.0 onwards up til I think about v5) who sold it.

however, the pgp disk software has little or none of that code in it - I refuse to use it, as they won't let you run your own builds (you are permitted to inspect the source - under NDA - and compile it for "test purposes" but not actually use the build you compiled yourself) so these days mostly use gnu privacy guard for any pgp-related requirements.
0
 

Author Comment

by:MrVault
ID: 36897987
So is it pretty much that large companies are using BitLocker for Windows 7 but if they have XP or they're tight on budget they use TrueCrypt? Doesn't seem like there's a consensus on a corporately deployable product with central management and good available technical support. With so many responsibilities, I'm leery to use a product I'd have to rely on forums for help. I guess, then why am I in here :)
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 36898200
Its a tradeoff. A lot of companies of all sizes are moving to Win7 (mostly because its getting harder to find hardware that comes with applicable xp drivers, and nobody wants vista) so using the "free" bitlocker stuff is seen as a win/win (really, much of the security comes from the trusted computing stuff, which is only trustworthy if you own the chipset :)

as your it "real estate" grows larger, you need to be able to centrally manage a lot of this stuff - plus of course, you may have a regulatory requirement to prove compliance - its easier to be able to print a pretty report showing all removable devices and all non-general-usage desktops are encrypted, then try and document that to evidential standard outside of an integrated management package and vendor-asserted compliance documents.

conversely, the flexibility and price benefits of open source are very comparable with the ideals of cryptographic security - to be accepted in the crypto community normally the protocol and ideally the code implementing it need to be openly documented so that experts can validate the security.  Reliance on vendor assertions can lead to nasty shocks further down the line when you find out about bad coding, deliberate backdoors for groups interested in any traffic, or vendor-hosted "key recovery" routines for entities such as law enforcement agencies to "recover" encrypted data without the owning company knowing - these are all things that have happened in the real world, not theoretical issues, and extremely hard to identify without openness in the software used.
0
 

Author Comment

by:MrVault
ID: 36919289
THaqnks Dave. So I guess then the question is, does any product provide the centralized management, reporting, and technical support that we need, with the open source based development and accountability? I'm guessing not. It's pick your poison.

The other option is something like LoJack where as soon as the person turns on the computer with an internet connection, it wipes the hard drive (once we tell it's been stolen). The only downside is I'm guessing it doesn't work if they pull the hard drive out and attach as external storage. They get the files without the software kicking in. Of course if it's encrypted then you're fine.

By the way, can bitlocker be turned on after the fact or does it have to be chosen before doing anything. And how long does it take if it can be turned on afterwards?
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 125 total points
ID: 36919480
from the source:

Approximately how long will initial encryption take when BitLocker is turned on?

BitLocker encryption occurs in the background while you continue to work, and the system remains usable, but encryption times vary depending on the type of drive that is being encrypted, the size of the drive, and the speed of the drive. If you are encrypting very large drives, you may want to set encryption to occur during times when you will not be using the drive.
What happens if the computer is turned off during encryption or decryption?

If the computer is turned off or goes into hibernation, the BitLocker encryption and decryption process will resume where it stopped the next time Windows starts. This is true even if the power is suddenly unavailable.
Why does it appear that most of the free space in my drive is used when BitLocker is converting the drive?

BitLocker cannot ignore free space when the drive is being encrypted because unallocated disk space commonly contains data remnants. However, it is not efficient to encrypt free space on a drive. To solve this problem, BitLocker first creates a large placeholder file that takes most of the available disk space and then writes cryptographic material to disk sectors that belong to the placeholder file. During this process, BitLocker leaves 6 GB of available space for short-term system needs. All other space, including the 6 GB of free space not occupied by the placeholder file, is encrypted. When encryption of the drive is paused or completed, the placeholder file is deleted and the amount of available free space reverts to normal. A placeholder file is used only on drives formatted by using the NTFS or exFAT file system.

If you want to reclaim this free space before encryption of the drive has completed, you can use the Manage-bde command-line tool to pause encryption. To do this, open an elevated command prompt and type the following command, replacing driveletter with the letter of the drive you want to pause encryption on:

manage-bde –pause driveletter :

When you are ready to start encrypting the drive again, type the following command:

manage-bde –resume driveletter :
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36919491
please note: bitlocker or any drive encryption is not a substitute for proper backup policies
0
 
LVL 33

Assisted Solution

by:Dave Howe
Dave Howe earned 250 total points
ID: 36919496
There is no one perfect category-killer in this category - probably just as well, for all the players in the game who aren't that product. Like most things (operating systems, encryption, email solutions, whatever) you need to make a list of "must haves" a list of "would likes" and a list of "must not dos" and see what is the best match. most people have "not cost anything" in the middle list :)


you can add bitlocker retroactively - in win7, all you need do is right-click the boot volume and turn it on (on versions that support it) - if your hardware doesn't offer a TCM then you may need to use a thumbdrive to store your key.

things like lojack are ok, and work surprisingly frequently (you would be amazed how many stolen laptops are already sold as-is to a pawn broker before their owners even know they are gone) however any attacker interested in the data isn't going to helpfully connect it up to the internet for you.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36919519
There isn't *anything* that is a substitute for appropriate backups - bear in mind of course that if you are allowing your road warriors to back up themselves, the backup media must also be encrypted and kept apart from your laptops - harder said than done, most RW will ignore you and keep the backup media in the laptop bag, trust me, I have gone down this path before many times...
0
 

Author Comment

by:MrVault
ID: 36919597
Thanks Dave and ve3ofa. Good stuff on the bitlocker option. We use an online backup company for our backups and we're certain the data is encrypted during transmission and storage, so we're good on that front. The CEO successfully restored all his data so I know it's working fine. Dave you're right about the list. The CEO usually thinks in dollars and cents, so I'll have to show the pro's and cons to both sides before the cost.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36919757
Luckily, this is one area (even if regulatory compliance isn't mandating it) that you can be sure of finding a wealth of evidence of the "cost" of a security failure due to lost laptops or media, both in direct financial terms (loss of sensitive company data, fines etc), indirect (loss of customers, failing to win bids, opportunity losses) and of course the resulting PR nightmare of disclosing a data loss.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36921611
any sensitive information in his email or documents folder on the laptop? Any financial information that might be ugly if it became public?
0
 

Author Comment

by:MrVault
ID: 36924228
certainly. he's the CEO. I'm sure he has emails and documents he deems private and confidential. I don't know of anything specific though.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36924317
IF you *did* know of stuff specifically, he should probably get rid and replace you with someone more discrete and less curious about the contents of his laptop ;)
0
 

Author Comment

by:MrVault
ID: 36924371
HA HA. Doesn't take someone in the know to guess that the CEO has confidential documents on his laptop. That's probably true with 100% of all CEOs. Even an email scheduling a meeting is "confidential".
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 36924484
unless he is also a lawyer, in which case it is a "privileged work product" :)
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36924921
Case Closed, Councilor .. Encrypt it and have good backups. There is a rumour that during one of the trade conferences that one party knew to the dollar the maximum that the other party was authorized to pay and so would not move during the haggling process any lower than that price.. The loss of the information to interested parties or just the loss of information alone could be critical to the companies existence.
0
 

Author Comment

by:MrVault
ID: 36924989
agreed. I'm going to look into Bitlocker I think. GPO manageable. Msft support if we ever needed it. Widely used. Has some headaches compared to TrueCrypt. I just think it's ridiculous that Windows doesn't include it with Professional. Should be.
Do you know if you can inline upgrade Professional to Enterprise or Ultimate?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 36925375
you can anytime upgrade pro to ultimate
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40600877
Although this thread is quite old, it is still featured, and so I would like to add my 2 cents:

There is a lot of speculation that Microsoft has given the US government (and probably close allies such as Canada, UK, and Australia) a "back door" into Bitlocker. To me it sounds paranoid yet at the same time plausible. We know that the FBI has failed to crack TrueCrypt.

Development of TrueCrypt has stopped, but many people still consider it to be the most secure option. There are two forks of TrueCrypt that are still maintained: VeraCrypt and CipherShed.

Be sure you understand the limitations of TrueCrypt, which are also limitations of its forks, BitLocker, and all similar encryption products. The main limitation is that if someone is able to sneak a keystroke logger onto your computer by means such as physical access to the computer or infecting the computer with malware, then the attacker can obtain the password. This does not apply to computers that have been stolen or confiscated.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40601689
MS originally stated that they hadn't been asked to backdoor bitlocker - and later had to withdraw that statement. Which is admittedly a bit suspicious. I would be more worried someone *other* than the US government has access to a backdoor (as is mentioned from time to time, there is no such thing as a magical golden key that allows only authorized, warrant-holding law enforcement officers in and keeps everyone else out; if there is a backdoor, it is for sale and anything else is just haggling over price)

TC needs some work; GPT support at least, and some way to get it into a secure boot path. TC is "at rest" encryption also, so (like bitlocker) it doesn't protect a running machine from its own software; like bitlocker, you CAN boot it from removable media (so that the password is useless without the media too) but the main kicker is that it really isn't enterprise-grade - there is no central management, which is fine for one (or five!) machines, but not for a hundred or five hundred.

That said, I use TC. But I also use LUKS (under linux of course), 7zip, Gnupg, and s/mime :)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now