Re: Laptop encryption

[David Taylor <ltr () ISC UPENN EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

That was very helpful information. Much appreciated.  We have just formed a team to look at whole disk encryption for 
laptops with sensitive data on them and had this on the list to look at.


- -------------------------------
David Taylor
University of Pennsylvania
Office of Information Security
215-898-1236
- -------------------------------



_____________________________________________
From: David Seidl [mailto:dseidl () ND EDU]
Sent: Friday, October 05, 2007 10:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Laptop encryption


* PGP Signed by an unverified key: 10/05/07 at 10:54:38

Seagate did a lunch and learn on these at the SANS Network Security
conference - I'd like to get a chance to look at one myself. Here's what
I have in my notes from their presentation:

There are a few caveats right now:

1) The drives are 5400 RPM older generation drives only - they noted
that they were adding encryption to existing platforms rather than
cutting edge devices - thus the lower rotational speed and the 1.5 Gbps
SATA rather than 3.0 Gbps SATA interface.
2) They are not FIPS certified (as a device)
3) Only 2.5" drives are currently available, so this isn't a viable
desktop solution yet.

There are currently two third parties who provide management interfaces
for the drive encryption. If you scale to any great degree, you'll want
to purchase the management software in addition to the drives. Seagate
claimed that the cost with management software was still lower than full
drive encryption and management software that is currently available.

One of my concerns - albeit a relatively minor one at the moment - was
that the firmware that boots them is (from their description) basically
a Linux mini-kernel which accepts user input in the form of a passphrase
to unlock the drive. The Seagate staffers at the conference said that
there was currently no patching method if vulnerabilities were found in
the mini-kernel. I'd hate to have vulnerable or exploitable disk drives
on top of everything else.

David

- ------------------------------------------------------------
David Seidl, CISSP
University of Notre Dame, Office of Information Technologies

David Taylor wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> There is also the Seagate drive that does whole disk encryption.  It also takes most of the performance hit since 
> most of the processing is done on the drive hardware. Has anyone had any experience with these?  I think they just 
> hit the market recently.
>
> http://www.pcworld.com/businesscenter/article/129734/seagate_ships_supersecure_hard_disk_drive.html
>
>
> - -------------------------------
> David Taylor
> University of Pennsylvania
> Office of Information Security
> 215-898-1236
> - -------------------------------

* David Seidl <dseidl () nd edu>
* Issuer: Thawte Consulting (Pty) Ltd. - Unverified


-----BEGIN PGP SIGNATURE-----
Version: 9.6.3 (Build 3017)

wj8DBQFHBnBmrFOwyUiOUlwRAvSgAJ9U9qbrc9I8J2WTmsxyDuGYcFCmkQCfQFUY
6FtYA1GfEzh7WDMlcocTxqc=
=aELh
-----END PGP SIGNATURE-----

Attachment: PGPexch.rtf.pgp
Description: PGPexch.rtf.pgp