Help me lock up some laptops.
November 9, 2007 2:26 PM Subscribe
Need to protect sensitive data on laptops taken out to the field. Something like Bitlocker, but for XP maybe?
So my organization does financial auditing now.
They're doing more and more work in the field, taking laptops out to a client, filled with the client's sensitive financial data and coming back with more of the same.
I'd like to do something to protect the laptops (actually, the data on them) from loss or theft a la "Someone at the VA left their laptop on the train, so now your medical records are out there for sale somewhere".
I was thinking of something like BitLocker but for XP.
(but not so much, since BL seems to encrypt the entire drive and only decrypt file by file once you're in - which seems like it would slow every single disk operation?)
Require an encryption/decryption key on a USB stick, so if that's separated from the laptop, the information is inacessible?
I would just have them put the sensitive data on USB sticks, but I think they'd be even more likely to lose those. If they lose a decrypt key, at least I could give/send them a replacement and admonish them for losing the keys, rather than worry about having lost the data.
Suggestions?
So my organization does financial auditing now.
They're doing more and more work in the field, taking laptops out to a client, filled with the client's sensitive financial data and coming back with more of the same.
I'd like to do something to protect the laptops (actually, the data on them) from loss or theft a la "Someone at the VA left their laptop on the train, so now your medical records are out there for sale somewhere".
I was thinking of something like BitLocker but for XP.
(but not so much, since BL seems to encrypt the entire drive and only decrypt file by file once you're in - which seems like it would slow every single disk operation?)
Require an encryption/decryption key on a USB stick, so if that's separated from the laptop, the information is inacessible?
I would just have them put the sensitive data on USB sticks, but I think they'd be even more likely to lose those. If they lose a decrypt key, at least I could give/send them a replacement and admonish them for losing the keys, rather than worry about having lost the data.
Suggestions?
Second, thirding, and fourthing TrueCrypt. Be aware that the user needs administrator access to use the encrypted drives/files.
posted by blue_beetle at 3:41 PM on November 9, 2007
posted by blue_beetle at 3:41 PM on November 9, 2007
SafeBoot is more of an enterprise solution, but very robust. What level would you say you are looking for, sm, med, lg, enterprise?
posted by zennoshinjou at 4:12 PM on November 9, 2007
posted by zennoshinjou at 4:12 PM on November 9, 2007
Yup. TrueCrypt all the way. Personally, I would password protect the encrypted volume, though, rather than store the key on a USB drive. Isn't it likely that if someone steals the laptop, they will get the USB drive as well?
posted by team lowkey at 5:13 PM on November 9, 2007
posted by team lowkey at 5:13 PM on November 9, 2007
Somewhere I found sweet instructions for making a batch file to lock and unlock a truecrypt volume, and I use it religously. If it's on a USB key, you can even set it to autorun upon insertion.
posted by TomMelee at 5:58 PM on November 9, 2007
posted by TomMelee at 5:58 PM on November 9, 2007
Response by poster: TrueCrypt is definitely the right direction, but not if it only works with administrator access.
There are about 20 people that will be doing this so it's not enterprise-level, and NG to make them all admins.
@TomMelee: do you have that script handy? If part of the script/autorun will do the privilege elevation (and undo afterward), then that will do the trick. Email's in my profile...
posted by bartleby at 6:07 PM on November 9, 2007
There are about 20 people that will be doing this so it's not enterprise-level, and NG to make them all admins.
@TomMelee: do you have that script handy? If part of the script/autorun will do the privilege elevation (and undo afterward), then that will do the trick. Email's in my profile...
posted by bartleby at 6:07 PM on November 9, 2007
It's on the key that's in the safe at work. Here's what I found quickly: (and no it doesn't do privilege elevation to administrator status)
1
2
3
A little googlefu was indicating that the "runas" command was all you'd really need to add to the batch file to make it run as administrator. The issue though is that it seems that this requires placing the admin password inside the batch file. Perhaps you could lock the batch to editing?
posted by TomMelee at 6:16 PM on November 9, 2007
1
2
3
A little googlefu was indicating that the "runas" command was all you'd really need to add to the batch file to make it run as administrator. The issue though is that it seems that this requires placing the admin password inside the batch file. Perhaps you could lock the batch to editing?
posted by TomMelee at 6:16 PM on November 9, 2007
I use PGP to lock my ost file for Outlook and my "Network Admin" folder
posted by evilelvis at 7:12 PM on November 9, 2007
posted by evilelvis at 7:12 PM on November 9, 2007
bartleby, have you been over to Lifehacker to see what they have to say? It's worth taking a look. When I did a search using "encrypt data," I got a long article debating the pros and cons of TrueCrypt, as well as alternatives and workarounds.
posted by librarylis at 1:41 AM on November 10, 2007 [1 favorite]
posted by librarylis at 1:41 AM on November 10, 2007 [1 favorite]
This thread is closed to new comments.
posted by mbatch at 3:05 PM on November 9, 2007