computerwoche.de

Archiv

Deciphering options for laptop encryption

05.12.2005
During the past two weeks, I started up a disk encryption project, one of the technology initiatives under my company's intellectual asset protection program. (I will cover the deployment of the other technology initiative, digital rights management, in a future column.)

Our goal with the disk encryption effort is to prevent the loss of intellectual property stemming from the theft of a laptop. On several occasions, executives' laptops have gone missing or been stolen. One of those missing laptops contained intellectual property and sensitive data, including information on a pending acquisition, product strategy and road maps. Luckily, it was recovered.

Should something like that happen again, we want the data on the laptop's hard drive to be illegible, which means we have to encrypt the entire hard drive. I assembled a team of representatives from our help desk, Windows engineering and Web applications groups and my information security team. After the initial project meeting, which familiarized everyone with the scope of the project and the state of the technology, we considered three products: Microsoft Corp. 's Encryption File System (EFS), PGP Corp. 's Whole Disk and Pointsec Mobile Technologies ' Pointsec for PC.

EFS was attractive in that it comes built into Windows and is therefore basically free. Plus, Microsoft is a large company and we already have a relationship with it, so its viability and support structure aren't unknowns. But we wanted a product that would encrypt the entire hard drive and not just individual files, require no change in the way users utilized their laptops and be compatible across all of our platforms.

So, as appealing as EFS was, it was quickly eliminated, mostly because it can't encrypt the entire volume. Besides that, there are some issues regarding sharing files between Windows XP and Windows 2000, and there's a good chance that files could end up in areas of the drive that aren't encrypted. It's true that we could get around that last problem by using group policies to control the configuration of users' laptops, but the project team had decided against group policies. Finally, EFS doesn't support Linux, which would leave out many of our engineers.

On to PGP. I like PGP, and we use it for e-mail encryption. Almost every security professional I know has a PGP key, and I thought we could integrate that technology with the whole-disk encryption. Unfortunately, the PGP full-disk encryption offering is new, and the project team felt more comfortable with a product that has been around a while and has a history of large deployments.