Data Encryption
I'm looking for a product that can safely and reliably encrypt the hard drives on our laptops. I've read that Symantec's Disk Encryption is a good product but can be a bit pricey. Dows anyone have an opinion on Microsoft's Bit Locker? How soes this product compare to Symantec? What other encryption tools are worth looking into? Will Bit Locker encrypt the entire drive or does it do file encryption?
One option would be to use Truecrypt to create an encrypted volume on her computer to store data in. Very reliable.
Truecrypt is free. Search "truecrypt" on google for download.
Depends on if you need an enterprise class product or not.
Bitlocker is whole drive encryption, but there are now suggestions that bitlocker has been "backdoored" - and of course you need to be running a central ad domain and so forth. Probably still safe enough unless you need to hide stuff from the US Government.
Truecrypt is the category killer for disk crypto, but has no central control mechanism, so is "clunky" to administer (basically, you need to build a recovery iso for each machine, store them securely, and use them to recover the machine if you get locked out) - hence, is not considered enterprise class. However, it is very, very effective, and free.
Bitlocker is whole drive encryption, but there are now suggestions that bitlocker has been "backdoored" - and of course you need to be running a central ad domain and so forth. Probably still safe enough unless you need to hide stuff from the US Government.
Truecrypt is the category killer for disk crypto, but has no central control mechanism, so is "clunky" to administer (basically, you need to build a recovery iso for each machine, store them securely, and use them to recover the machine if you get locked out) - hence, is not considered enterprise class. However, it is very, very effective, and free.
I have been using Trend Micro Drive Armor for the last few years.
http://www.trendmicro.com/us/enterprise/product-security/endpoint-encryption/index.html
http://www.trendmicro.com/us/enterprise/product-security/endpoint-encryption/index.html
Before you say "I need encryption" understand what encryption will and will not do:
https://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
TLDR; Full disk encryption only protects your data when the OS is powered off completely. It protects from physical theft of a HDD. There are caveats and best practices to each encryption technology, if you do not follow them or address them, you may as well have not used encryption at all.
-rich
https://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
TLDR; Full disk encryption only protects your data when the OS is powered off completely. It protects from physical theft of a HDD. There are caveats and best practices to each encryption technology, if you do not follow them or address them, you may as well have not used encryption at all.
-rich
Hi.
In order to focus on only a few products: does your win7 edition entitle you to use bitlocker? Ultimate or enterprise are needed, win7 pro does not offer bitlocker (while win8 pro does).
--
If you should talk numbers, what may your choice cost?
How many laptops? If more than 10, I would definitely choose a managable product like symantecs encryption desktop 10.
In order to focus on only a few products: does your win7 edition entitle you to use bitlocker? Ultimate or enterprise are needed, win7 pro does not offer bitlocker (while win8 pro does).
--
If you should talk numbers, what may your choice cost?
How many laptops? If more than 10, I would definitely choose a managable product like symantecs encryption desktop 10.
ASKER
We do run Windows 7 Ultimate. I am mostly interested in full disk encryption in the event the device is lost or stolen. If Bit Locker is used, how can the encryption be managed? There will only be about 10 laptops.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In no Bitlocker discussion this advice should be missing: don't use TPM alone, combine it with a PIN or else you will be a possible target for cold boot attacks other attack vectors any encryption faces that does not rely on preboot authentication (which is what the PIN offers).
ASKER
I installed the Bit Locker. I used the TPM method. I don't recall being asked to provide a PIN. So now when I boot the laptop everything appears normal. After I provide the AS username and password the data on the drive is available. does this mean the encryption is only as strong as the password? If someone were to use a hacking tool to reset the password would this deny that? How can I implement the PIN now?
Allow me to point out: encryption is a hype. How many people have I read of that don't know the technical background but are so eager to encrypt each and everything :)
--
You need to add a PIN or your only protection is the password - correct. Also I mentioned cold boot attacks, which don't even need that password.
About "hacking tools": the commonly used tools reset the password of the builtin administrator account. BUT: they don't work with encrypted drives, no matter if a PIN is used or not.
--
You need to add a PIN or your only protection is the password - correct. Also I mentioned cold boot attacks, which don't even need that password.
About "hacking tools": the commonly used tools reset the password of the builtin administrator account. BUT: they don't work with encrypted drives, no matter if a PIN is used or not.
ASKER
Understood, so how do I add PIN to Bit Locker now. I am currently only using TPM.
http://serverfault.com/questions/55394/how-do-i-set-the-bitlocker-pin describes the process exactly.