Versions Compared

Old Version 2

changes.mady.by.user vvogel@educause.edu

Saved on

compared with

New Version 3

changes.mady.by.user vvogel@educause.edu

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Other Hot Topics: Cloud Computing Security | Cloud Data Storage Solutions | Community Based Security Awareness | Copier and Multi-Function Device Security | Managing Malware | Mobile Device Security | Social Networking Security | Statewide Longitudinal Data Systems

Anchor
Top
Top

Introduction to Full Disk Encryption (FDE)

...

  • Select the appropriate software for your goals, environment, and culture. Common solutions include:
    • BitLocker – Windows Vista/7 (Enterprise Edition or Ultimate Edition only)
      • Included with operating system at no extra cost
      • Use with Microsoft Active Directory to centrally storing encryption keys and to manage BitLocker settings via Group Policy
      • Used with Microsoft System Center Configuration Manager to validate that BitLocker is continuously enabled
    • PGP Whole Disk Encryption – Windows, Mac OS, Linux
      • Best if used with PGP Universal Server
    • TrueCrypt – Windows only
      • Note: TrueCrypt provides provides system encryption for for Windows, Mac OS, and Linux. However it only provide full disk encryption for Windows operating systems.
    • FileVault2 – Mac (Lion 10.7 only)
    • A more complete list of solutions can be found on the following Wikipedia page: http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software#Features
  • Consider purchasing laptops that include Trusted Platform Module (TPM). TPM is an integrated security processor that handles encryption keys and other security tokens in a more secure manner, and can provide additional flexibility when determining the user login experience. TPM is available with most modern, mainstream laptops vendors, including Acer, Dell, HP, Lenovo, Sony, and Toshiba.
  • Select the required login method when booting the computer. For BitLocker, options include requiring a passphrase or PIN, a USB token, the TPM module (if applicable), or a combination of the three.
    • Consider the threats you're looking to protect against. If you're only concerned with lost laptops and thefts of opportunity, TPM only may be sufficient. This will provide a more desirable user experience as users will not be required to enter a PIN, passphrase, or USB token at boot up.
    • If you have a particularly high risk asset, or if you're concerned that a user or system may be specifically targeted, consider requiring a PIN, passphrase, or USB token at boot up for an additional layer of protection.
    • If TPM is not an option, the use of a PIN, passphrase, or USB token is required at boot up.
  • Determine if enterprise management capabilities are needed for the scope of your implementation. This can greatly ease software updates, key recovery and assurance of encryption status.

...

Additional Resources in the Guide

...