Educause Security Discussion mailing list archives
Full Disk Encryption vs "encrypting just the data disk"....??
From: "SCHALIP, MICHAEL" <mschalip () CNM EDU>
Date: Wed, 30 Jan 2013 12:03:27 -0700
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Wednesday, January 30, 2013 11:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Full Disk Encryption and Media Encryption We are using McAfee Endpoint Encryption which allows us to apply FDE preboot on laptops and were moving toward AutoBoot on workstations. The McAfee endpoint tool allows us to force encryption if anyone wants to write to a USB or optical media. There's a lot of options and flexibility. As we been using EPO for quite a while, management has not been a problem. When we pushed out FDE we had some problems because we didn't check the health of the disks on our laptops prior to encrypting and bricked a few. So take a good look at McAfee endpoint encryption. I know there are other products that others are using and like very much also. Cheers.-grish David Grisham, PhD, CISM, CRISC Manager ITSecurity
Jim Furstenbrg <JamesFurstenberg () FERRIS EDU> 1/30/2013 11:22 AM >>>
Full Disk Encryption and Media Encryption Just wanted to see what vendors (enterprise solutions) folks are using for FDE and MDE needs. We currently have Checkpoint which is very unfriendly so I am looking at options. Any help would be greatly appreciated. Thank you. Jim Furstenberg |IT Security Analyst CISSP, C|EH "In God we trust, all others bring data." W. Edward Demmings _________________________________________________________ Ferris State University - National Security Agency Center of Excellence 330 Oak St | Big Rapids, MI 49307 Office: 231.591.5335 Mobile: 231.645.5821 EFax: 888.396.6269 Technical support or call 231-591-4822 local or toll free 877-779-4822 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Current thread:
- Full Disk Encryption vs "encrypting just the data disk"....?? SCHALIP, MICHAEL (Jan 30)
- Re: Full Disk Encryption vs "encrypting just the data disk"....?? Eric C. Lukens (Jan 30)