Educause Security Discussion mailing list archives
Re: Whole Disk Encryption
From: Michael Sana <msana () HPU EDU>
Date: Tue, 17 Jan 2012 21:28:09 +0000
Aloha, I remember some years back that using native file encryption on machines within scope could possibly violate PCI requirements under section 3. 3.4.1 If disk encryption is used (rather than file- or column-level database encryption), logical access must be managed independently of native operating system access control mechanisms (for example, by not using local user account databases). Decryption keys must not be tied to user accounts. Just something to think about. I am definitely NOT a QSA, so if someone could shed some light on the situation or elaborate, that would be great. mike.sana. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Bradley Jonko Sent: Tuesday, January 17, 2012 11:17 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption We currently have PGP (now Symantec) deployed for Windows and Macs, but are desperately looking to move away from PGP in favor of the native solutions (Bitlocker and Filevault). We have been running up against user backlash from the long delays for major OS patching (mostly on the Mac side), which has lead to some users outright removing their encryption. The largest obstacle that our IT folks are worried about if we move to the native encryption is recreating the password recovery mechanisms that are built-in to most of the commercial products. Has anyone implemented a key escrow/password recovery solution for either/both of the native encryption solutions? If so, was it a homegrown solution? Thank you, Brad Jonko Information Security Office Stanford University jonko () stanford edu 650.724.2822 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of SCHALIP, MICHAEL Sent: Friday, January 06, 2012 9:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Whole Disk Encryption The biggest drawback for us was no password recovery - lose the password, lose the data.... From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Drew Perry Sent: Friday, January 06, 2012 10:08 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Whole Disk Encryption @Aaron, TrueCrypt is a great product for individual use. But in a larger environment, it lacks significant enterprise deployment tools. IT staff can back up the Volume Header of encrypted disks for central management, but it requires direct contact with each system. There is no support for remote management, monitoring, or maintenance. Definitely use it at home and in smaller environments. (For small organizations it's hard to beat the price.) But I wouldn't recommend it for any type of enterprise rollout. Drew Perry Security Analyst Murray State University (270) 809-4414 aperry () murraystate edu<mailto:aperry () murraystate edu> P Save a tree. Please consider the environment before printing this message. On Fri, Jan 6, 2012 at 10:16 AM, Aaron S. Thompson <athompson () berklee edu<mailto:athompson () berklee edu>> wrote: Hi All, Has anyone deployed or has experience with TrueCrypt<http://www.truecrypt.org/>? If so are you happy with it? Any things you would have changed or pitfalls? Best, Aaron - Aaron Thompson Network Architect for IT Operations Berklee College of Music 1140 Boylston Street, MS-186-NETT Boston, MA 02215-3693 www.berklee.edu<http://www.berklee.edu> 617.747.8656<tel:617.747.8656> -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
Current thread:
- Re: Whole Disk Encryption, (continued)
- Re: Whole Disk Encryption Aaron S. Thompson (Jan 06)
- Re: Whole Disk Encryption Drew Perry (Jan 06)
- Re: Whole Disk Encryption SCHALIP, MICHAEL (Jan 06)
- Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
- Re: Whole Disk Encryption Howell, Paul (Jan 13)
- Re: Whole Disk Encryption Tonkin, Derek K. (Jan 13)
- Re: Whole Disk Encryption David Grisham (Jan 13)
- Re: Whole Disk Encryption Aaron S. Thompson (Jan 06)
- Re: Whole Disk Encryption Bradley Jonko (Jan 17)
- Re: Whole Disk Encryption Isabelle Graham (Jan 17)
- Re: Whole Disk Encryption Dexter Caldwell (Jan 17)
- Re: Whole Disk Encryption Michael Sana (Jan 17)
- Re: Whole Disk Encryption Brad Judy (Jan 17)
- Re: Whole Disk Encryption Rich Graves (Jan 17)
- Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)