Disk lockdown

If you want to protect desktop computers from cyberattacks and sensitive data in stolen laptop computers, disk encryption could be the last line of defense.

Encryption can be done in one of two basic ways: You can choose to encrypt individual files and folders or encrypt the entire disk.

Built-in support called Encrypted File System (EFS) in Microsoft Windows 2000 and XP enables users to encrypt individual files and folders. But this approach does not encrypt other parts of the disk where temporary files, the paging file and the Recycle Bin exist. If an attacker or thief accesses the disk, they can see unencrypted portions and potentially obtain sensitive data.

A far better approach is to encrypt the entire disk. To eliminate the possibility of an attacker or thief accessing an unencrypted disk, the disk-encryption process should start automatically when a computer boots, prior to the launch of the operating system.

We recently examined two products, WinMagic's SecureDoc and PC Guardian's Encryption Plus (EP) Hard Disk, that encrypt the entire disk and insert themselves prior to operating system start-up.

The magic touch

The WinMagic solution exceeds the capabilities of other disk-encryption products by encrypting removable and fixed drives. PC Guardian developers plan to add support for removable drives in an upcoming release of the product.

We had no trouble installing WinMagic's SecureDoc on several Windows 2000 and XP machines. The product's documentation is rather sparse, but a PDF is delivered with the program disks that contain more detailed information.

Agency administrators, particularly those unfamiliar with encryption, will want to view this PDF online or print a hard copy for review prior to installation. Developers could simplify this step for administrators by automatically launching the PDF at the start of the installation process.

After installing the product, we ran the SecureDoc Wizard to configure encryption on our machines. During configuration, we could choose whether to use passwords, tokens, smart cards or biometrics to confirm the identity of users trying to access the disk. In some cases, we selected passwords only, but for other machines, we selected passwords and USB tokens.

We created an emergency disk and then moved on to

SecureDoc's Control Center to select disk drives for encryption. Based on the computers' configuration, some machines took 45 minutes to encrypt while others took closer to 90 minutes. The difference is a result of the size of the disk drives and the processor speed. For example, the product estimates that a 30G hard drive on a 1.8 GHz machine will take approximately one hour to encrypt.

After completing the disk encryption, we configured the boot log-on via the Control Center. This step enabled SecureDoc to initiate before the operating system starts up. Once logged on, we were able to interact with applications and data as usual.

From a user's perspective, the only indications that SecureDoc is at work are the presence of the boot log-on screen and a bit of performance degradation, but the latter was not very noticeable on machines matching the latest configurations.

SecureDoc gives agency administrators several choices for encryption and authentication. They can choose one of several encryption methods, such as Federal Information Processing Standard (FIPS) 140-2, and the methods can be updated or replaced. SecureDoc is validated with Common Criteria Evaluation Assurance Level 1, and company officials have applied for EAL-4 certification.

On the authentication front, SecureDoc supports a number of marketplace smart cards, tokens, biometric devices and software- or hardware-based public-key infrastructure technology. Officials provide a list of supported hardware devices on the company Web site.

Multiple authorized users can access data on a machine.

SecureDoc can store up to 100 main files on a computer. In addition, key files stored on smart cards or floppy disks enable an unlimited number of users to access a particular machine.

Officials at larger agencies will want to examine WinMagic's SecureDoc Enterprise Server, which enables administrators to create and maintain a centralized key database for all users.

In addition, SecureDoc Enterprise Server provides a mechanism that allows administrators to deploy disk encryption enterprisewide. This latter point is especially important if you want to schedule an off-hours, centralized conversion of user disks. PC Guardian also has such useful tools to enable remote deployment and centralized administration.

SecureDoc's compatibility with other system software is good. For example, we observed no conflicts with antivirus software, disk image software, such as Ghost, or multioperating system boot tools, such as Powerquest's BootMagic. Agency administrators should test SecureDoc against agency disk images to ensure complete compatibility.

WinMagic's solution primarily targets Windows-based machines. But company officials plan to eventually support other operating systems, such as Linux.

An easy setup

PC Guardian's EP Hard Disk was easy to set up and use. As long as the person who installs it has administrator rights on the machine, local or remote installation and configuration is available. An administrator can also pre-encrypt hard drives on machines prior to allocating them to users.

We installed and locally configured EP Hard Disk on a number of machines using the User Program. Then we used the User Program Setup Wizard from within the Admin Program, which enabled us to build a customized User Program with specific user settings. For example, we could set the password expiration interval to 30 days. We then executed a remote, silent installation for several desktop computers.

One feature we found particularly useful was an option that enabled us to set the speed of the initial encryption of the disk. For example, you might set the speed faster if you were executing the install and initial encryption overnight. However, we set our speed lower and found that users could continue working while the initial encryption took place in the background.

PC Guardian's written documentation for EP Hard Disk is first rate. However, unlike SecureDoc, we could not locate any online documentation on the EP Hard Disk installation media. PC Guardian officials should consider adding PDF- or HTML-based online documentation to the installation media.

Following the installation, the impact to users on any of the systems we tested was not noticeable. The only visible difference was the addition of the authentication prior to operating system start-up.

Like SecureDoc, EP Hard Disk is certified with Common Criteria EAL-1 and the company is undergoing evaluation for Common Criteria EAL-4. In its newest release, EP Hard Disk also includes support for FIPS 140-2 compliance.

We found no incompatibilities with any of the other software we had installed on our machines. However, as with any other agency deployment, administrators will most likely want to test images prior to deployment to check for compatibility issues.

PC Guardian officials have also included support for Single Sign-On with EP Hard Disk. Following installation, users can log in once prior to the operating system startup, and they will be connected to all agency resources that they are authorized to use.

Another useful module is the Encryption Plus Management Console, which is an optional tool that contains server and client components. The interface provides real-time management and auditing capabilities of EP Hard Disk deployments. In addition to centralizing the management of disk encryption and decryption, the Management Console provides useful tools, such as the ability to revoke a user account remotely.

PC Guardian, like rival SecureDoc, limits current platform support to Windows clients and servers only.

Picking your solution

Agency administrators should consider evaluating both PC Guardian's EP Hard Disk and WinMagic's SecureDoc as part of a proof of concept to bolster their security strategy, particularly if the agency deals with and stores highly sensitive data. In this comparison, we found that EP Hard Disk has a slight edge because of its support for variable speed initial encryption, centralized administration and varied types of deployment options.

If your enterprise requires disk encryption across multiple platforms, you might also want to learn more about available

solutions.

Biggs is a senior engineer and freelance technical writer based in Northern California.

***

Disk encryption across the enterprise

Most large organizations have a diverse set of computing platforms. Perhaps you use one or more Apple Macintosh machines in your technical publications department, or maybe you use IBM's iSeries for transactional processing of sensitive data. Regardless of the platforms in play, if you want to implement an agencywide, cross-platform disk-encryption policy, it is possible to do so.

We haven't found a disk-encryption solution that is truly heterogeneous, so if the agency you work for requires cross-platform disk encryption, you'll need to define a set of requirements and then seek solutions from several vendors. No single-vendor solution exists, but many solutions can plug into your existing desktop and server deployment software.

Pointsec Mobile Technologies offers a wide array of disk-encryption products. For example, Pointsec for PC provides full disk encryption with single sign-on and preboot authentication for Microsoft Windows-based machines. The company also offers a variety of products to secure mobile device disks, such as PalmSource's Palm OS, and real-time encryption for Smartphone-based data. Pointsec officials expect to support disk encryption for Linux early this year.

For midrange and mainframe platforms, the best disk-encryption option will likely be a solution from your hardware provider. For example, people using IBM's zSeries can install a 4758 PCI Cryptographic Coprocessor to enforce disk-based encryption.

IBM's hardware-based disk encryption differs from other solutions. It includes processor resources that execute encryption or decryption processes. By executing those processes using resources on a hardware card, the main system processors are freed to do business logic.

CE-InfoSys' CompuSec PC Security Suite includes disk-encryption options for both Windows and Linux. Like Pointsec and SecureDoc, CompuSec includes support for removable disks. Moreover, it includes preboot authentication and tools to enable centralized administration.

Securstar's DriveCrypt offers the same disk-encryption features as many of its rivals but adds a unique option that allows you to hide an entire operating system. Using this, you can configure two passwords — one for the outer, preconfigured operating system and one for the hidden operating system, which contains confidential or sensitive data.

If users are working in a part of the world where they might be forced to reveal a password, they could provide DriveCrypt's "fake" password, which would let the attacker into the outer operating system. However, the attacker would not see the hidden one or even know it existed.

KremlinEncrypt.com's Kremlin works slightly differently from the other solutions. The product encrypts items on your hard disk when you log off or the device becomes idle, depending on how you configure it. It then decrypts the same information once you are actively using your computer. Of particular interest to administrators at agencies that use Windows and Macintosh desktops, Kremlin allows users to encrypt and decrypt data between the two platforms. Moreover, it can erase memory and deleted data at an interval of your choosing.

Like many solutions, Utimaco Safeware's SafeGuard line of products enables single sign-on and full disk encryption. However, SafeGuard also provides additional protection by enabling encryption for e-mail messages and securing network file systems with encryption.

Sites that run Sun Microsystems' Solaris-based servers have a few options. The company provides a software-based data encryption solution that supports single sign-on. In addition, Sun's operating system includes a built-in cryptographic framework and is capable of working with hardware-based disk-encryption solutions.

Another solution comes from Thales e-Security. The company offers a hardware-based module that inserts into laptop computers. Once Guardisk is installed, the entire disk on the laptop is encrypted, including the boot sector.

Many disk-encryption solutions are available and each covers different platform territory. Therefore, agency information technology leaders will need to define which platforms, encryption and authentication features will be needed to secure their enterprise.