RE: harddisk encryption

["Lentila de Vultur" <ledeve () gmx net>]

my comments to your comments:

> 1. If the encryptor encrypts your boot disk, it has to be involved early
> in the
> boot process and may be broken by anything that changes the system boot
> sequence.
> On the whole such a product would likely need two different drivers, one
> of which
> would change BIOS behavior, and the other of which would change runtime
> OS behavior, and they must be in synch with one another.
>
>   This is fine until you decide to change operating systems, at which
> point the boot
> may change and make your old data suddenly disappear. Things on the other
> hand are
> easier if the encrypting disk product only encrypts data devices
> (including virtual
> disks) since only one driver need be used.

in this case you can unencrypt the drive, do the neccessary changes, and
re-encrypt it. con: it's time-consuming.
 
> 2. In the event of disk crash or emergency, unless a tool is provided to
> allow you
> to access the encrypted disk from somewhere else, anything which causes an
> OS to
> become non bootable may be unfixable. You would not normally want such a
> tool online,
> but when you need it, you REALLY need it.

such tools are provided (at least for utimaco and securstar). and they are
small enough to fit on a floppy. of course you need to provide proper
credentials to decrypt anything. the possibility to save the encryption keys
and user authetication data is also provided.

 
> 4. An interesting question to ask of such a package is whether the data in
> any
> disk block is a cipher depending only on a fixed key and the original
> data. If so,
> and the same key is used for every block, there are attacks which can be
> used
> to compromise such a system without having to decrypt it all. If on the
> other hand
> something else is an input, you need to know what else is used and how it
> is
> used and how key scheduling is done, to make any estimate of how strong
> the
> cipher really is.

can you please detail on this? or point me to some documentation.

 
> The Ultimaco literature suggests that many users may have different
> passwords to
> access a computer disk protected by its package. If I were buying it in
> bulk I
> would certainly want to know more about how the key management is done to
> allow
> this. 

i've asked them. but no answer as yet.



thanks.


> -----Original Message-----
> From: full-disclosure-bounces () lists netsys com
> [mailto:full-disclosure-bounces () lists netsys com]On Behalf Of Lentila de
> Vultur
> Sent: Tuesday, February 15, 2005 10:05 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] harddisk encryption
>
>
> hi,
>
> sorry for my late answer and for breaking the thread. below you can find
> the
> original post:
>
> <>
> i'm evaluating a software that performs harddisk encryption for deploying
> in
> my company. the software in question is utimaco safeguard easy v4.10
> (www.utimaco.com) running on w2k.
>
> i am interested in communitty's oppinion about this product. has anyone
> performed a detailed analysis of it? i googled around but i couldn't find
> much information, except that the version 3.20 sr1 has earned an eal3
> certification from the german federal agency for it security. 
> </>
>
>
> thank you for all your answers and suggestions on and off the list.
>
> what i like at safeguard easy are the possibility to encrypt full
> harddisks,
> not only files or partitions, and the boot authentication. Frank Knobbe
> suggested encryption plus hard disk from pc guardian - I asked for an
> evaluation copy. google suggested also drive crypt plus pack -
> www.securstar.com.
>
> imho, the main disadvantage of pgpdisk and alike compared with
> full-encryption tools is that valuable data can remain unencrypted in the
> swap file or in temporary files outside the container. When using full 
> harddisk encryption tools no extra user interaction is required,
> everything
> is done transparently. there is no need for user training.
>
>
> -- 
> this e-mail is certified content-free.
>
> Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
> GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> **********************************************************************
> This transmission may contain information that is privileged, confidential
> and/or exempt from disclosure under applicable law. If you are not the
> intended recipient, you are hereby notified that any disclosure, copying,
> distribution, or use of the information contained herein (including any
> reliance thereon) is STRICTLY PROHIBITED. If you received this
transmission in
> error, please immediately contact the sender and destroy the material in
its
> entirety, whether in electronic or hard copy format. Thank you
> **********************************************************************
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

-- 
this e-mail is certified content-free.

DSL Komplett von GMX +++ Supergünstig und stressfrei einsteigen!
AKTION "Kein Einrichtungspreis" nutzen: http://www.gmx.net/de/go/dsl
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html