Main Nav

Message from pardonjr@purduecal.edu

Hello,

 

We are in the process of implementing whole disk encryption on our university owned laptops.  Initially, we will be using bitlocker on our Windows computers and I was looking to get some feedback from others on their experiences with roll out and management issues with this technology.

 

Thanks,

 

Jim

 

Please let me know if there is anything additional I can assist you with to ensure the service you received today has been excellent.

 

James R. Pardonek

Assistant Director for Information Security and Assurance

Purdue University Calumet | 2200 169th Street | Hammond, IN 46323

(o) 219.989.2745 | (f) 219.989.2581 | www.purduecal.edu/security

 

 

 

AttachmentSize
image001.jpg3.63 KB
smime.p7s4.88 KB

Comments

We use Symantec Endpoint Encryption…..and it’s been great!!  Easy maintenance – key recovery options are really nice – and Symantec support has been great, too, (when necessary….)

 

M

 

Message from r-safian@northwestern.edu

 

Can I hijack this and ask if there are any good options for Android?

 

We are still struggling with this. US Dept of Interior export laws are giving us fits.  As most universities, we have a large foreign national population and some encryption software is highly restricted by both US and foreign governments.  We have heard stories of laptops and even encrypted USB flash sticks being seized at foreign customs and the owners detained by law enforcement.  Don't ask how many meetings and calls to the feds this has entailed!
Bob
 

 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


>>> On Thursday, January 05, 2012 at 1:58 PM, "James R. Pardonek" <pardonjr@PURDUECAL.EDU> wrote:

Hello,

 

We are in the process of implementing whole disk encryption on our university owned laptops.  Initially, we will be using bitlocker on our Windows computers and I was looking to get some feedback from others on their experiences with roll out and management issues with this technology.

 

Thanks,

 

Jim

 

Please let me know if there is anything additional I can assist you with to ensure the service you received today has been excellent.

 

James R. Pardonek

Assistant Director for Information Security and Assurance

Purdue University Calumet | 2200 169th Street | Hammond, IN 46323

(o) 219.989.2745 | (f) 219.989.2581 | www.purduecal.edu/security

 

 

 

We began laptop encryption at NKU about 18 months ago using Bitlocker.  We have had no problems with it whatsoever, and plan to begin using MBAM soon.  Primarily this has been in use for new systems as they are purchased and imaged, but there are also several older systems now encrypted (Windows 7).  There are plenty of debates about the use of Bitlocker, but for us it was the only affordable choice, which beats no encryption at all.  So far, so good for us.

 

Message from cthomas@worwic.edu

We are in the process of rolling out WinMagic SecureDoc to our staff and faculty laptop fleet.  We were looking at using bitlocker initially, but ran into a lot of encryption key issues when laptops were used with a port replicator.   

 

Chuck

 

 

Chuck Thomas

Network Administrator

Wor-Wic Community College

32000 Campus Drive

Salisbury, Maryland 21804

 

Voice: 410.334.2931

Email: cthomas@worwic.edu

Web Site: http://www.worwic.edu

 

Message from valdis.kletnieks@vt.edu

On Thu, 05 Jan 2012 15:20:14 EST, Robert Meyers said: > and foreign governments. We have heard stories of laptops and even > encrypted USB flash sticks being seized at foreign customs and the owners > detained by law enforcement. OK, I'll bite - what countries besides the US are doing this?
Please see the following:
 
This map is a good graphical reference for import and export restrictions:
 
From our colleagues at Princeton University "May I take my encrypted laptop when traveling internationally?" http://www.princeton.edu/itsecurity/services/encryption/travel/
 
Bob

 
 
Robert E. Meyers,  Ms.Ed.
Educational Program Manager
  Office of Information Security
West Virginia University
office: (304) 293-8502
remeyers@mail.wvu.edu


>>> On Thursday, January 05, 2012 at 3:34 PM, Valdis Kletnieks <Valdis.Kletnieks@VT.EDU> wrote:
On Thu, 05 Jan 2012 15:20:14 EST, Robert Meyers said:
> and foreign governments.  We have heard stories of laptops and even
> encrypted USB flash sticks being seized at foreign customs and the owners
> detained by law enforcement.

OK, I'll bite - what countries besides the US are doing this?

We implemented Safeboot (now McAfee Endpoint Encryption) on all faculty, staff, and student laptops in 2006 and have been extremely happy with the product.  There have been no significant issues and recovery of failed drives is fairly simple.  Key management for us was a huge issue, as was being able to confidently say that a lost\stolen drive was indeed encrypted at the time it went missing.

 

Sherry Callahan

Information Security Officer

University of Kansas Medical Center

(913) 588-0966

 

 

Message from dean.halter@notes.udayton.edu

The University of Dayton uses Checkpoint Full Disk Encryption (formerly Pointsec) on its laptops.  We've used it in (non-AD environment, WebDAV) since approximately 2007 with few issues so far.

The Princeton page is very well done.  I have to wonder, however, how import/export regulations will evolve as encryption becomes common all the way down to consumer devices.  IPads, for example, have hardware encryption built in (and are made in China - LOL).

Dean
___________
Dean Halter, CISA, CISSP
IT Risk Management Officer, UDit
University of Dayton

"Security is a process, not a product."  Bruce Schneier
Hi All,

Has anyone deployed or has experience with TrueCrypt?  If so are you happy with it?  Any things you would have changed or pitfalls?

Best,

Aaron
-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music         
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693
617.747.8656

Message from aperry@murraystate.edu

@Aaron,

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.

Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

P  Save a tree. Please consider the environment before printing this message.



Hi Aaron,

 

TrueCrypt is a superb (and free) full disk encryption option for personal use. It offers a myriad of encryption options and is both reliable and fast on newer hardware. The reason you don’t see it more widely deployed in the enterprise is due to it’s lack of centralized management tools (key recovery, remote install, etc.).

 

Best,

alex

 

Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu

 

The biggest drawback for us was no password recovery – lose the password, lose the data….

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,

 

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.


Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

 

P  Save a tree. Please consider the environment before printing this message.



There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery – lose the password, lose the data…. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry@murraystate.edu   Save a tree. Please consider the environment before printing this message.
Has anyone implemented WDE across the board, for laptops AND workstations? If so, WRT workstations, what issues have been encountered? ________________________________ Paul Howell University Chief Security Officer Information & Infrastructure Assurance Information and Technology Services The University of Michigan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Alexander Kurt Keller [alkeller@SFSU.EDU] Sent: Friday, January 06, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery – lose the password, lose the data…. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry@murraystate.edu  Save a tree. Please consider the environment before printing this message.
We haven't implemented WDE on all of our workstations but we do have a significant number of workstations with PGP WDE on them. We haven't had any issues particular to workstations. Early on we had some trouble with the bootloader not recognizing Bluetooth keyboards but that seems to have been resolved at this point. Generally, they have the same issues as laptops with users forgetting their passphrases and occasionally having to do drive recoveries when they get a virus that attempts to change the boot sector or have hardware issues. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin@baylor.edu        254-710-7061 ---------------Sic 'em Bears--------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Howell, Paul Sent: Friday, January 13, 2012 5:45 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption Has anyone implemented WDE across the board, for laptops AND workstations? If so, WRT workstations, what issues have been encountered? ________________________________ Paul Howell University Chief Security Officer Information & Infrastructure Assurance Information and Technology Services The University of Michigan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Alexander Kurt Keller [alkeller@SFSU.EDU] Sent: Friday, January 06, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery – lose the password, lose the data…. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry@murraystate.edu P Save a tree. Please consider the environment before printing this message.
Message from dgrisham@salud.unm.edu

We have implemented workstation and laptop WDE using McAfee which provides central management and reporting. As WDE using LDAP credentials is not always an option on workstations with a large amount of multiple users, we are now pushing out file and folder encryption which allows us to also control USBs and their data leakage. McAfee's password recovery works well and we have been able to move that service down to Tier 1 help desk staff. Cheers --grish David D. Grisham David Grisham, Ph.D., CISM, CRISC Manager, IT Security, UNM Hospitals, IT Division Suite 3131 933 Bradbury Drive, SE Albuquerque, New Mexico 87106 Ph: (505) 272-5657 Department FAX 272-7143, Desk Fax 272-9927 >>> "Tonkin, Derek K." 1/13/2012 8:29 AM >>> We haven't implemented WDE on all of our workstations but we do have a significant number of workstations with PGP WDE on them. We haven't had any issues particular to workstations. Early on we had some trouble with the bootloader not recognizing Bluetooth keyboards but that seems to have been resolved at this point. Generally, they have the same issues as laptops with users forgetting their passphrases and occasionally having to do drive recoveries when they get a virus that attempts to change the boot sector or have hardware issues. -------------Baylor University------------- Derek Tonkin Information Security Analyst Information Technology Services - Security derek_tonkin@baylor.edu 254-710-7061 ---------------Sic 'em Bears--------------- -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Howell, Paul Sent: Friday, January 13, 2012 5:45 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption Has anyone implemented WDE across the board, for laptops AND workstations? If so, WRT workstations, what issues have been encountered? ________________________________ Paul Howell University Chief Security Officer Information & Infrastructure Assurance Information and Technology Services The University of Michigan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Alexander Kurt Keller [alkeller@SFSU.EDU] Sent: Friday, January 06, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University *Burk Hall 155 * (415)338-6117 *alkeller@sfsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery * lose the password, lose the data*. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry@murraystate.edu P Save a tree. Please consider the environment before printing this message.

We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption.

 

 

The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password recovery mechanisms that are built-in to most of the commercial products.

Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If so, was it a homegrown solution?

 

 

Thank you,

Brad Jonko

Information Security Office

Stanford University

jonko@stanford.edu

650.724.2822

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

The biggest drawback for us was no password recovery – lose the password, lose the data….

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,

 

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.


Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

 

P  Save a tree. Please consider the environment before printing this message.

 

Message from graham@american.edu

We would also be interested in hearing about any solutions people have come up with to this. ---- Isabelle Graham Information Security Engineer American University On 2012-01-17 16:16, Bradley Jonko wrote: > We currently have PGP (now Symantec) deployed for Windows and Macs, but > are desperately looking to move away from PGP in favor of the native > solutions (Bitlocker and Filevault). We have been running up against > user backlash from the long delays for major OS patching (mostly on the > Mac side), which has lead to some users outright removing their encryption. > > The largest obstacle that our IT folks are worried about if we move to > the native encryption is recreating the password recovery mechanisms > that are built-in to most of the commercial products. > > Has anyone implemented a key escrow/password recovery solution for > either/both of the native encryption solutions? If so, was it a > homegrown solution? > > Thank you, > > Brad Jonko > > Information Security Office > > Stanford University > > jonko@stanford.edu > > 650.724.2822 > > *From:*The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *SCHALIP, MICHAEL > *Sent:* Friday, January 06, 2012 9:36 AM > *To:* SECURITY@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [SECURITY] Whole Disk Encryption > > The biggest drawback for us was no password recovery – lose the > password, lose the data…. > > *From:*The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] *On Behalf Of *Drew Perry > *Sent:* Friday, January 06, 2012 10:08 AM > *To:* SECURITY@LISTSERV.EDUCAUSE.EDU > *Subject:* Re: [SECURITY] Whole Disk Encryption > > @Aaron, > > TrueCrypt is a great product for individual use. But in a larger > environment, it lacks significant enterprise deployment tools. IT staff > can back up the Volume Header of encrypted disks for central management, > but it requires direct contact with each system. There is no support for > remote management, monitoring, or maintenance. Definitely use it at home > and in smaller environments. (For small organizations it's hard to beat > the price.) But I wouldn't recommend it for any type of enterprise rollout. > > > Drew Perry > Security Analyst > Murray State University > (270) 809-4414 > aperry@murraystate.edu > > *P*Save a tree. Please consider the environment before printing this > message. > >
<?xml version="1.0" encoding="UTF-8"?>
VERY GOOD QUESTION!  I'm interested in any responses to this one.  Sorry I don't have any helpful information myself, but sounds like at this point, we're having similar questions.

D/C
The EDUCAUSE Security Constituent Group Listserv <SECURITY@LISTSERV.EDUCAUSE.EDU> writes:
We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption.

 

 

The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password recovery mechanisms that are built-in to most of the commercial products.

Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If so, was it a homegrown solution?

 

 

Thank you,

Brad Jonko

Information Security Office

Stanford University


650.724.2822

 

 

 




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
Subject: Re: [SECURITY] Whole Disk Encryption




 

The biggest drawback for us was no password recovery – lose the password, lose the data….

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,




 




TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.





Drew Perry
Security Analyst
Murray State University
(270) 809-4414




 




P  Save a tree. Please consider the environment before printing this message.




 




Aloha,

 

I remember some years back that using native file encryption on machines within scope could possibly violate PCI requirements under section 3. 

 

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

 

Just something to think about.  I am definitely  NOT a QSA, so if someone could shed some light on the situation or elaborate, that would be great. 

 

mike.sana.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bradley Jonko
Sent: Tuesday, January 17, 2012 11:17 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption.

 

 

The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password recovery mechanisms that are built-in to most of the commercial products.

Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If so, was it a homegrown solution?

 

 

Thank you,

Brad Jonko

Information Security Office

Stanford University

jonko@stanford.edu

650.724.2822

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

The biggest drawback for us was no password recovery – lose the password, lose the data….

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,

 

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.


Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

 

P  Save a tree. Please consider the environment before printing this message.

 

Message from win-hied@bradjudy.com

I don’t know about FileVault, but since BitLocker relies on a TPM chip to protect the decryption keys, I expect it would meet this requirement. 

 

Brad Judy

 

Emory University

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Michael Sana
Sent: Tuesday, January 17, 2012 4:28 PM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

Aloha,

 

I remember some years back that using native file encryption on machines within scope could possibly violate PCI requirements under section 3. 

 

3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts.

 

Just something to think about.  I am definitely  NOT a QSA, so if someone could shed some light on the situation or elaborate, that would be great. 

 

mike.sana.

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Bradley Jonko
Sent: Tuesday, January 17, 2012 11:17 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption.

 

 

The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password recovery mechanisms that are built-in to most of the commercial products.

Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If so, was it a homegrown solution?

 

 

Thank you,

Brad Jonko

Information Security Office

Stanford University

jonko@stanford.edu

650.724.2822

 

 

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL
Sent: Friday, January 06, 2012 9:36 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

The biggest drawback for us was no password recovery – lose the password, lose the data….

 

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry
Sent: Friday, January 06, 2012 10:08 AM
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Subject: Re: [SECURITY] Whole Disk Encryption

 

@Aaron,

 

TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout.


Drew Perry
Security Analyst
Murray State University
(270) 809-4414
aperry@murraystate.edu

 

P  Save a tree. Please consider the environment before printing this message.

 

Assuming that all laptops are in a domain and that you push settings with GPO, BitLocker key recovery is decent. If you combine the built-in AD tools with SCCM, it's nearly as good as PGP. You will have ample opportunity to gain experience with it, because even with the most liberal PCR settings, users will violate the boot integrity check frequently, and at the most inconvenient times. We have about 100 PCs running BitLocker, but I would not recommend it.

There is no supported enterprise escrow for FileVault 2. If all laptops are imaged and encrypted by central IT techs, then it ought to be possible to come up with manual procedures, just like some people did with TrueCrypt. If encryption is decentralized, forget about it.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
CMC135: 507-222-7079 Cell: 952-292-6529
Message from mmaloney@middlesexcc.edu

We started out using Pointsec on laptops for encryption (XP installs), and while it was great, maintaining the recovery keys and such was not the easiest thing to do. With Windows 7, any laptop that gets deployed gets Bitlocker with the pre-boot pin. As we deploy Windows 7 desktops to offices, they are being deployed with Bitlocker, but without the pre-boot pin. The goal behind encrypting the desktops was to prevent data from leaving the college for reasons other than theft (drive replacement under warranty, drive removed from desktop and getting misplaced, etc etc). All of our hardware based Server 2008 servers are encrypted with Bitlocker as well. We manage the recovery keys thru GPO and AD, as well as saving each recovery key on a flash drive that is stored in our safe. One downside to FDE is any utility that boots to a CD/USB will not recognize the hard drive. So if you have to run say a rescue disk from a A/V vendor to try and get rid of a virus, it won't work. The drive will need to be decrypted first. And that can be a plus, as utilities such as the NT Password/Registry Editor can't be used to break the admin password and gain access to the drive if someone gets it. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Howell, Paul Sent: Friday, January 13, 2012 6:45 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: {SPAM?} Re: [SECURITY] Whole Disk Encryption Importance: Low Has anyone implemented WDE across the board, for laptops AND workstations? If so, WRT workstations, what issues have been encountered? ________________________________ Paul Howell University Chief Security Officer Information & Infrastructure Assurance Information and Technology Services The University of Michigan ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Alexander Kurt Keller [alkeller@SFSU.EDU] Sent: Friday, January 06, 2012 1:04 PM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption There is a password/data recovery method, but it is process that may be prohibitively inefficient for larger deployments: "We use TrueCrypt in a corporate/enterprise environment. Is there a way for an administrator to reset a volume password or pre-boot authentication password when a user forgets it (or loses a keyfile)? Yes. Note that there is no "backdoor" implemented in TrueCrypt. However, there is a way to "reset" volume passwords/keyfiles and pre-boot authentication passwords. After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header). " -- http://www.truecrypt.org/faq Alex Keller Systems Administrator Academic Technology, San Francisco State University ☛Burk Hall 155 ☎ (415)338-6117 ✉alkeller@sfsu.edu From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery – lose the password, lose the data…. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY@LISTSERV.EDUCAUSE.EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry@murraystate.edu P Save a tree. Please consider the environment before printing this message.
Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.