• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 158
  • Last Modified:

Full Disk Encryption - Now that TrueCrypt has been "compromised" what is everyone using?

Now that we have the big question mark regarding TRUE-CRYPT, what is everyone using for whole disk encryption?
0
jkeegan123
Asked:
jkeegan123
  • 3
  • 3
  • 2
  • +3
1 Solution
 
McKnifeCommented:
To answer this, you would need big statistics and those, no one has access to.
You might find some increase in downloads of other open source encryptors like "disk cryptor" or "veracrypt", but we cannot say "now most are using...".

the thing is: who would you want to trust? Would it have to be open source? And what is keeping you from continuing to use TC? If it were found out that it has major problems (now-unknown), then I could understand your concerns.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Still truecrypt :)

Seriously though, the first phase audit didn't show anything significant, and while we are expecting NCC to take months to come back with the second phase, we aren't expecting any major failings to show there either.

TC is still the best (and almost only) option if you want reliable, cross platform support.

There are decent alternatives. LUKS on linux is at least as good as TC, and of course bitlocker has the MS seal of approval (and can handle GPT drives which TC can't) - although it is known american intel agencies have attempted to force MS into weakening bitlocker (and it has that dependency on TPM modules, which everyone but the owning company can trust)
0
 
jkeegan123Author Commented:
How about managed full disk encryption?  Where systems have to check in or lose access to the data, like for field laptops.  I've heard of systems like this but have never seen any in action....are there open source answers to this, or are there only commercial solutions?
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
McKnifeCommented:
Forget remote wipe. Imagine I steal your laptop and my intention is to read your data - do you think I don't know about remote wipe? I take out that drive and that's it. There's no way remote wipe will be initiated after that.
--
Not sure where this thread is heading but it seems you don't use a managed solution (which is advisable if you have a larger number of computers). Or do you ask just for a few machines?
0
 
jkeegan123Author Commented:
For both, I've never had to have this for a lot of machines, but I just picked up a healthcare client that has a lot of field laptops with NO encryption, which sent my HIPPA meter off the charts ... was trying to decide on a stand alone or managed solution.  Not so much remote wipe as someone not turning in a HDD after being let go, and they just lose access to it after a set amount of time.
0
 
McKnifeCommented:
Let me draw a sketch of the decision process if I were you:
Do you trust microsoft? If yes, consider to use bitlocker IF you have a windows OS that qualifies for using it. If you don't, ask yourself what management features you need:
-how should the authentication work?
-do you wnat to be able to enforce password changes/key changes?
-do you need several keys to the machine (one for the admin, one for user A, one for B...)?
-do you trust the users not to offline attack the machine in order to get local admin rights? (because if you don't, I am sure you would need a TPM-aware solution)?
-would the setup have to be automated?
-how would the backup and recovery process work?

Some of those decisive questions might require scripting knowledge if you try to use open source solutions... if you don't think you have that know-how, it might be better to buy a solution unless you qualify for bitlocker.
0
 
nobusbiljart fanCommented:
if you fear Truecrypt, use an alternative : Bestcrypt http://www.jetico.com/products/personal-privacy/bestcrypt-container-encryption
0
 
Natty GregIn Theory (IT)Commented:
the best encryption is education
0
 
Natty GregIn Theory (IT)Commented:
other than that true-crypt still
0
 
Rich RumbleSecurity SamuraiCommented:
Also note that HIPAA does not mandate Full Disk encryption... before I get into that, have a look at my article here:
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
Horses mouth ->http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2001.html TLDR; you don't have to use encryption unless a security assessment says you do. Most probably will, but you can have compensating controls that can make it so it's not required. HIPAA is better handled by those who have handled or are certified in HIPAA. Everyone has to start somewhere so I'd start on the hhs.gov page (like I did years ago :)
Managed encryption btw is much better using tools like BitLocker, PGP or Wave if using hardware FDE drives.
TC is still good if you need something free and unmanaged, it's moved to CipherShed now: https://github.com/CipherShed/CipherShedBuilds/blob/v0.7.3.0-20141231/builds/c7b806f658895da0229a9e9557008aee729f5730/pyeron%2Cjason/1420054199/src/Release/Setup%20Files/CipherShed%20Setup%200.7.3.exe
-rich
0
 
Dave HoweSoftware and Hardware EngineerCommented:
HIPAA does mandate using appropriate protection for the data. Each possible class of protection has different use cases; FDE (and self-encrypting hard drives, which are effectively FDE in hardware) protect only against attacks on "cold" systems - that is, machines that are shut down.  Use case is usually removable media and/or portable devices (such as laptops) which are in transit and not currently being used. If a device is physically secure (such as in a cage in a datacenter), then FDE isn't needed, and if its virtualized, cloud-based or otherwise subject to software attacks on the running system, then FDE isn't going to help so shouldn't be considered for that use scenario.

So first step is *always* to do a security review, establish the attacks you need to defend against, and select the most cost-effective solutions to cover all those attacks (many technologies cover more than one, of course)
0
 
Natty GregIn Theory (IT)Commented:
backup to an online or cloudbase source is the safest way. well you can try briefcase the files that are used regularly is mapped to a briefcase file then the nightly from anything modified in the briefcase is backup to the real backup server via admin only
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

  • 3
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now