Solved

Mobile encryption without being admin

Posted on 2013-12-02
11
380 Views
Last Modified: 2013-12-08
Hi experts.

In a perfect world, there would be a software that would encrypt USB drives and let anyone access the data that knows the password. That person should not need administrative privileges.

What windows software solution comes next to this? [Hardware is not being looked at here]
Bitlocker to go is already considered an option, yes.
0
Comment
Question by:McKnife
  • 6
  • 5
11 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39691361
BL-2Go is one option, I'm not understanding a lot of the push to USB encryption and I work with several regulated/mandated clients across the world. TrueCrypt of course can be used in this way, but it requires the executables to be present on the USB drive [See Traveler Mode](or already installed in the system), as will most 3rd parties if you think about it. OEM/Manufacturer solutions are going to be the most ubiquitous ones.
If hardware isn't being looked at then it's looking like BL all the way, however that leaves XP and Vista (in the case of BL-2Go that is).

I don't throw encryption around like I used to, now I try to fix the problems before it comes to that. Got any other requirements or concerns about USB and or mobile devices? Since the data can leave so many other ways, USB is probably the least of my concerns when I consult for a client. It's very low on the radar unless USB is a commonly used item for sensitive data/air gap transfers. Otherwise, there are much faster and "better" ways to transfer data within just a browser.
-rich
0
 
LVL 53

Accepted Solution

by:
McKnife earned 0 total points
ID: 39692061
Hi Rich.

Truecrypt portable needs admin rights. BL2Go cannot be used for different reasons and was already considered, as I wrote.

I found a solution which I already tested and it works alright, at least on win7: http://translate.google.com/translate?u=http%3A%2F%2Fwww.withopf.com%2Ftools%2Fsecurstick%2F&langpair=de%7Cen

I think we will use hardware as that software has some caveats and the hardware isn't too expensive.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39692180
TC does not need admin in Traveler Mode, you include the TC.exe on a the plain-text unencrypted portion of the USB, and use the executable on any machine and not need to install. Hardware is the more obvious choice over BL because you don't need to install any software (typically, but some do, like Kingston has a central manager, can't use the USB without it).
I like the kinds with keypads: http://www.apricorn.com/products/hardware-encrypted-drives/aegis-secure-key.html
Don't believe a drive that is certified FIPS140-2 is better than any other: http://www.h-online.com/security/news/item/NIST-certified-USB-Flash-drives-with-hardware-encryption-cracked-895308.html
Nonetheless I prefer TC or FreeOTFE over BL and or Hardware, and you already know I don't use Admin rights anywhere :)
-rich
0
 
LVL 53

Author Comment

by:McKnife
ID: 39692199
Rich, Truecrypt portable was tested. It does need Admin rights to use encrypted containers, see http://www.truecrypt.org/docs/truecrypt-portable
You need administrator privileges in order to be able to run TrueCrypt in portable mode
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39692282
It doesn't for us... Maybe you can try FreeOTFE which works the same way, place the executables and dll's on the plain-text partition of the drive, and create a container there too: http://sourceforge.net/projects/freeotfe.mirror/
Both work on User accounts, not power not admin... hmm TC doc's need updated or we are not talking about the same thing. We don't use any wizard, we just copy the files to the USB and create a file/container there...
-rich
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 53

Author Comment

by:McKnife
ID: 39692316
That's the same we do.
You are a local admin and UAC is off or it's xp, right? ;)
0
 
LVL 53

Author Comment

by:McKnife
ID: 39692326
I think I know what your "problem" is: you are testing it on computers that also have truecrypt installed, right? Then the driver is already loaded automatically at startup, that's why no admin rights are needed for portable TC in your case.
Right?
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39692340
I'll triple check, I doubt we are including the drivers for TC in the image, but just in case I'll have a look. FreeOTFE I can confirm does not need admin to do the same portable drive.
-rich
0
 
LVL 53

Author Comment

by:McKnife
ID: 39692421
Fact is, TC 7.1a does not work on x64 OS (Vista/win7) in portable mode without administrative rights. Neither does free OTFE as it does not support x64 at all.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39692438
Yeah looks like IT slipstreamed the MSDN ISO's with the TC driver! FreeOTFE hasn't been developed in some time now. There is always encrypted containers like GPG or even 7zip.
hardware is the most universal, but it was discounted at the onset of the question, I'm all for it being deleted.
-rich
0
 
LVL 53

Author Closing Comment

by:McKnife
ID: 39704051
self-solved
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

By default, Carbonite Server Backup manages your encryption key for you using Advanced Encryption Standard (AES) 128-bit encryption. If you choose to manage your private encryption key, your backups will be encrypted using AES 256-bit encryption.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now