Full Disk Encryption - Now that TrueCrypt has been "compromised" what is everyone using?

Now that we have the big question mark regarding TRUE-CRYPT, what is everyone using for whole disk encryption?
LVL 5
jkeegan123Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

McKnifeCommented:
To answer this, you would need big statistics and those, no one has access to.
You might find some increase in downloads of other open source encryptors like "disk cryptor" or "veracrypt", but we cannot say "now most are using...".

the thing is: who would you want to trust? Would it have to be open source? And what is keeping you from continuing to use TC? If it were found out that it has major problems (now-unknown), then I could understand your concerns.
0
Dave HoweSoftware and Hardware EngineerCommented:
Still truecrypt :)

Seriously though, the first phase audit didn't show anything significant, and while we are expecting NCC to take months to come back with the second phase, we aren't expecting any major failings to show there either.

TC is still the best (and almost only) option if you want reliable, cross platform support.

There are decent alternatives. LUKS on linux is at least as good as TC, and of course bitlocker has the MS seal of approval (and can handle GPT drives which TC can't) - although it is known american intel agencies have attempted to force MS into weakening bitlocker (and it has that dependency on TPM modules, which everyone but the owning company can trust)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jkeegan123Author Commented:
How about managed full disk encryption?  Where systems have to check in or lose access to the data, like for field laptops.  I've heard of systems like this but have never seen any in action....are there open source answers to this, or are there only commercial solutions?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

McKnifeCommented:
Forget remote wipe. Imagine I steal your laptop and my intention is to read your data - do you think I don't know about remote wipe? I take out that drive and that's it. There's no way remote wipe will be initiated after that.
--
Not sure where this thread is heading but it seems you don't use a managed solution (which is advisable if you have a larger number of computers). Or do you ask just for a few machines?
0
jkeegan123Author Commented:
For both, I've never had to have this for a lot of machines, but I just picked up a healthcare client that has a lot of field laptops with NO encryption, which sent my HIPPA meter off the charts ... was trying to decide on a stand alone or managed solution.  Not so much remote wipe as someone not turning in a HDD after being let go, and they just lose access to it after a set amount of time.
0
McKnifeCommented:
Let me draw a sketch of the decision process if I were you:
Do you trust microsoft? If yes, consider to use bitlocker IF you have a windows OS that qualifies for using it. If you don't, ask yourself what management features you need:
-how should the authentication work?
-do you wnat to be able to enforce password changes/key changes?
-do you need several keys to the machine (one for the admin, one for user A, one for B...)?
-do you trust the users not to offline attack the machine in order to get local admin rights? (because if you don't, I am sure you would need a TPM-aware solution)?
-would the setup have to be automated?
-how would the backup and recovery process work?

Some of those decisive questions might require scripting knowledge if you try to use open source solutions... if you don't think you have that know-how, it might be better to buy a solution unless you qualify for bitlocker.
0
nobusCommented:
if you fear Truecrypt, use an alternative : Bestcrypt http://www.jetico.com/products/personal-privacy/bestcrypt-container-encryption
0
Natty GregIn Theory (IT)Commented:
the best encryption is education
0
Natty GregIn Theory (IT)Commented:
other than that true-crypt still
0
Rich RumbleSecurity SamuraiCommented:
Also note that HIPAA does not mandate Full Disk encryption... before I get into that, have a look at my article here:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Horses mouth ->http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html TLDR; you don't have to use encryption unless a security assessment says you do. Most probably will, but you can have compensating controls that can make it so it's not required. HIPAA is better handled by those who have handled or are certified in HIPAA. Everyone has to start somewhere so I'd start on the hhs.gov page (like I did years ago :)
Managed encryption btw is much better using tools like BitLocker, PGP or Wave if using hardware FDE drives.
TC is still good if you need something free and unmanaged, it's moved to CipherShed now: https://github.com/CipherShed/CipherShedBuilds/blob/v0.7.3.0-20141231/builds/c7b806f658895da0229a9e9557008aee729f5730/pyeron%2Cjason/1420054199/src/Release/Setup%20Files/CipherShed%20Setup%200.7.3.exe
-rich
0
Dave HoweSoftware and Hardware EngineerCommented:
HIPAA does mandate using appropriate protection for the data. Each possible class of protection has different use cases; FDE (and self-encrypting hard drives, which are effectively FDE in hardware) protect only against attacks on "cold" systems - that is, machines that are shut down.  Use case is usually removable media and/or portable devices (such as laptops) which are in transit and not currently being used. If a device is physically secure (such as in a cage in a datacenter), then FDE isn't needed, and if its virtualized, cloud-based or otherwise subject to software attacks on the running system, then FDE isn't going to help so shouldn't be considered for that use scenario.

So first step is *always* to do a security review, establish the attacks you need to defend against, and select the most cost-effective solutions to cover all those attacks (many technologies cover more than one, of course)
0
Natty GregIn Theory (IT)Commented:
backup to an online or cloudbase source is the safest way. well you can try briefcase the files that are used regularly is mapped to a briefcase file then the nightly from anything modified in the briefcase is backup to the real backup server via admin only
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.