Full disk encryption: Is there a holy grail?
July 10, 2006 4:26 PM Subscribe
Encryptionfilter: I'm looking for a full disk encryption solution for desktop and laptop use.
The ideal solution must be OS agnostic (thus we're probably looking for hardware here). Why should it give a crap what I want on the hard drive? I just want it all encrypted be it Windows, OS X, Linux, whatever. Ideally it would also have a way to use a secure token for two factor authentication.
I'm looking for both desktop and laptop solutions here. My main desktop is a windows only box, so that opens up the field some more if that helps. I haven't yet aquired a notebook, but it may be windows or a mac. In any case, multiboot is probably well assured.
For my desktop, I've looked at PGP Whole Disk Encryption. But it's out because 1) horror stories...I just don't think I trust it and 2) A little pricey...$149+ cost of Aladdin etoken and you're about at $250.
Other solutions have a similar story. They are for enterprise use, not one off licensing, and are priced accordingly.
There's something like: http://www.dlock.com.tw/pcicard.htm
But where the heck do you actually BUY this device? I'm not really down with emailing some random Taiwanese company about some device I don't even know does what it says it does.
I've seen articles about the seagate momentus fde, where the actual hard drive does the encryption seamlessly. This sounds perfect (minus two factor auth), but at last report this was delayed until Q1/2 07. Is there anything similar?
Am I being too picky? Is it too much to hope for an OS agnostic, reliable, two factor, full disk encryption system for a private individual? *wishes the trucrypt people would just write one*
The ideal solution must be OS agnostic (thus we're probably looking for hardware here). Why should it give a crap what I want on the hard drive? I just want it all encrypted be it Windows, OS X, Linux, whatever. Ideally it would also have a way to use a secure token for two factor authentication.
I'm looking for both desktop and laptop solutions here. My main desktop is a windows only box, so that opens up the field some more if that helps. I haven't yet aquired a notebook, but it may be windows or a mac. In any case, multiboot is probably well assured.
For my desktop, I've looked at PGP Whole Disk Encryption. But it's out because 1) horror stories...I just don't think I trust it and 2) A little pricey...$149+ cost of Aladdin etoken and you're about at $250.
Other solutions have a similar story. They are for enterprise use, not one off licensing, and are priced accordingly.
There's something like: http://www.dlock.com.tw/pcicard.htm
But where the heck do you actually BUY this device? I'm not really down with emailing some random Taiwanese company about some device I don't even know does what it says it does.
I've seen articles about the seagate momentus fde, where the actual hard drive does the encryption seamlessly. This sounds perfect (minus two factor auth), but at last report this was delayed until Q1/2 07. Is there anything similar?
Am I being too picky? Is it too much to hope for an OS agnostic, reliable, two factor, full disk encryption system for a private individual? *wishes the trucrypt people would just write one*
I don't know an OS-agnostic method, but here's how one can do it with Ubuntu and Gentoo Linux (for free.) The Gentoo instructions include an option for booting from a USB device and really leaving the whole disk encrypted; the Ubuntu instructions leaves an unencrypted boot partition. (That doesn't represent any inherent limitation of Ubuntu; that's just that document.) But this would only help if it inspired you to switch OSes.
With every month bringing a couple more stories of major security breaches through stolen laptops, I remain surprised that no one's making full disk encryption easier.
posted by Zed_Lopez at 5:13 PM on July 10, 2006
With every month bringing a couple more stories of major security breaches through stolen laptops, I remain surprised that no one's making full disk encryption easier.
posted by Zed_Lopez at 5:13 PM on July 10, 2006
Have you looked at Truecrypt. It's free and runs on Windows and Linux -- not Mac though AFAIK.
It's not encrypting a whole drive per se but you can take, say, a 120GB drive and make practically the whole thing into one big Truecrypt volume. Biggest volume I've made so far is GB.
posted by NailsTheCat at 5:25 PM on July 10, 2006
It's not encrypting a whole drive per se but you can take, say, a 120GB drive and make practically the whole thing into one big Truecrypt volume. Biggest volume I've made so far is GB.
posted by NailsTheCat at 5:25 PM on July 10, 2006
Response by poster: Running OS from usb = ew, not happening for perfomance, size, and portability reasons.
I know of truecrypt (I mentioned it my question). The OS X version is in the works last I checked.
Anyway, I'm looking for a full disk encryption method here. That means EVERYTHING including the operating system(s), any swap, free space, etc. Sure I could JUST have an encrypted space for documents and such, but I want full end to end encryption.
posted by crypticgeek at 5:37 PM on July 10, 2006
I know of truecrypt (I mentioned it my question). The OS X version is in the works last I checked.
Anyway, I'm looking for a full disk encryption method here. That means EVERYTHING including the operating system(s), any swap, free space, etc. Sure I could JUST have an encrypted space for documents and such, but I want full end to end encryption.
posted by crypticgeek at 5:37 PM on July 10, 2006
crypticgeek seems to be aware of TrueCrypt, NailsTheCat. The problem with encrypting just the data is that apps can't be counted on to not leave temporary files with potentially sensitive data lying around. Further, anyone with physical access to your machine and enough determination could potentially install a keylogger (or any of a number of other techniques that could deposit your password or unencrypted data someplace it could be retrieved.) That's why the paranoidcautious don't want to leave the OS unencrypted.
On preview, you probably know this, crypticgeek, but, in the absence of hardware with the crypto in ROM (you wouldn't want it in firmware), something has to be unencrypted -- your CPU doesn't speak gobbledygook. That's why the solutions I linked to involve unencrypted boot partitions either on the disk or on an external USB device. To my knowledge, there isn't anything today with the crypto in ROM that would allow completely full-disk encryption. (I'd bet you can't boot from that Taiwanese PCI card.)
SecureDoc claims to be an OS-agnostic full-disk encryption product. But, as nearly as I can tell from web-surfing their site and reviews of it, it isn't really full-disk -- it installs a cleartext (well, as clear as a binary executable gets) bootloader to handle the decryption.
A reasonably secure approach would be to create an unencrypted boot partition, to make an SHA-256 hash of the whole boot partition, and, prior to booting your machine, boot a USB device that checks the boot partition's hash. If it matches, then you can go ahead and boot the machine into that partition. Cumbersome, but security and convenience have been bitter enemies since the dawn of time.
posted by Zed_Lopez at 6:15 PM on July 10, 2006
On preview, you probably know this, crypticgeek, but, in the absence of hardware with the crypto in ROM (you wouldn't want it in firmware), something has to be unencrypted -- your CPU doesn't speak gobbledygook. That's why the solutions I linked to involve unencrypted boot partitions either on the disk or on an external USB device. To my knowledge, there isn't anything today with the crypto in ROM that would allow completely full-disk encryption. (I'd bet you can't boot from that Taiwanese PCI card.)
SecureDoc claims to be an OS-agnostic full-disk encryption product. But, as nearly as I can tell from web-surfing their site and reviews of it, it isn't really full-disk -- it installs a cleartext (well, as clear as a binary executable gets) bootloader to handle the decryption.
A reasonably secure approach would be to create an unencrypted boot partition, to make an SHA-256 hash of the whole boot partition, and, prior to booting your machine, boot a USB device that checks the boot partition's hash. If it matches, then you can go ahead and boot the machine into that partition. Cumbersome, but security and convenience have been bitter enemies since the dawn of time.
posted by Zed_Lopez at 6:15 PM on July 10, 2006
Well, I can't make your every wish come true, but I can get kind of close.
I worked for an IT department last year before I graduated college, and my 'boss' (senior tech, if you will) and I were asked to secure a computer that would be used to store credit card numbers (WHY, we're still not sure.) We used a program called DriveCrypt, which encrypts the entire drive and requires authentication prior to booting the OS. It can be found here:
http://www.securstar.com/products_drivecryptpp.php
The "PlusPack" is the one that will encrypt an entire OS. It will only work for recent Windows versions, and it doesn't have a 'token' system, but it does require 2 passwords. You might want to try it on a 'test' system before you go encrypting your entire drive, because I seem to remember the password scheme being confusing - you have 2 passwords to boot from a specific drive, but a DIFFERENT password to open the DriveCrypt program. Just make sure you write everything down.
I think you're going to have a tough time finding a solution that does TRUE FULL encryption AND is OS-agnostic. If you read about how DriveCrypt works, it encrypts and decrypts data a sector at a time, which I would imagine requires pretty tight integration with the OS. YMMV.
(P.S. It's amazing how much effort it takes to REALLY lock down a Windows XP computer to keep data from wandering off!)
posted by cebailey at 6:55 PM on July 10, 2006
I worked for an IT department last year before I graduated college, and my 'boss' (senior tech, if you will) and I were asked to secure a computer that would be used to store credit card numbers (WHY, we're still not sure.) We used a program called DriveCrypt, which encrypts the entire drive and requires authentication prior to booting the OS. It can be found here:
http://www.securstar.com/products_drivecryptpp.php
The "PlusPack" is the one that will encrypt an entire OS. It will only work for recent Windows versions, and it doesn't have a 'token' system, but it does require 2 passwords. You might want to try it on a 'test' system before you go encrypting your entire drive, because I seem to remember the password scheme being confusing - you have 2 passwords to boot from a specific drive, but a DIFFERENT password to open the DriveCrypt program. Just make sure you write everything down.
I think you're going to have a tough time finding a solution that does TRUE FULL encryption AND is OS-agnostic. If you read about how DriveCrypt works, it encrypts and decrypts data a sector at a time, which I would imagine requires pretty tight integration with the OS. YMMV.
(P.S. It's amazing how much effort it takes to REALLY lock down a Windows XP computer to keep data from wandering off!)
posted by cebailey at 6:55 PM on July 10, 2006
NetBSD comes with cgd, so that part is easy. But the only way you'd then run Windows is in Wine, or, vmware. Not ideal then.
posted by lundman at 7:24 PM on July 10, 2006
I know of truecrypt (I mentioned it my question)
Ah - so you did. My bad. By way of making up for that here's another suggestion: Move your user profile (My Documents, Application Data, temp file etc.) to within a Truecrypt drive. Instructions on doing that here.
Of course, you would probably wanna set up Truecrypt to mount the drive at startup -- which has some security issues. And further (as you're obviously already aware), any application saving data elsewhere (registry, its own folder etc.) would be exposed.
Zed_Lopez and cebailey seem to have good solutions though. Good luck.
posted by NailsTheCat at 7:48 PM on July 10, 2006
Ah - so you did. My bad. By way of making up for that here's another suggestion: Move your user profile (My Documents, Application Data, temp file etc.) to within a Truecrypt drive. Instructions on doing that here.
Of course, you would probably wanna set up Truecrypt to mount the drive at startup -- which has some security issues. And further (as you're obviously already aware), any application saving data elsewhere (registry, its own folder etc.) would be exposed.
Zed_Lopez and cebailey seem to have good solutions though. Good luck.
posted by NailsTheCat at 7:48 PM on July 10, 2006
Oh, and have you seen Compusec? I'd never heard of it before. Found it via Wikipedia.
posted by NailsTheCat at 7:53 PM on July 10, 2006
posted by NailsTheCat at 7:53 PM on July 10, 2006
I finally set up whole disk encryption, booting from a USB key myself, and looked up this thread.
I should have stressed that it doesn't mean running the OS from USB, just booting. Basically all I need on the flash drive is the bootloader, initrd, and vmlinuz (the initial ramdisk and compressed Linux kernel.) I was surprised it takes less than 16MB -- you'd be hard pressed to find a USB device too small for this.
And I can unplug the key as soon as the system prompts for the password for my encrypted partition.
posted by Zed_Lopez at 12:49 PM on May 25, 2007
I should have stressed that it doesn't mean running the OS from USB, just booting. Basically all I need on the flash drive is the bootloader, initrd, and vmlinuz (the initial ramdisk and compressed Linux kernel.) I was surprised it takes less than 16MB -- you'd be hard pressed to find a USB device too small for this.
And I can unplug the key as soon as the system prompts for the password for my encrypted partition.
posted by Zed_Lopez at 12:49 PM on May 25, 2007
« Older Lost childhood filter: balsa wood gliders | How do I get rid of a large TV no one wants? Newer »
This thread is closed to new comments.
posted by RichardP at 5:02 PM on July 10, 2006