Windows XP Full Disk Encryption - What are the options?

Question

I've been ask to look at full disk encryption software for our mobile users. We're running Windows XP SP3 PCs on a domain and my understanding is that we will not be upgrading to Vista and have no current plans to upgrade to Windows 7. This would seem to rule out Bitlocker. We'd like to look at two different types of solutions:

An Active Directory-integrated solution that syncs Domain accounts and passwords for single-sign on to a PC. This solution should allow Domain Admins to access any encrypted drive and gets bonus points if decryption/encrypted disk access authority can be delegated to non-Domain Admins on the Help Desk.
A solution that runs on each PC individually or in some sort of workgroup mode that allows a single master password to decrypt the laptop's drive. Syncing with Domain user accounts and passwords would also be nice, for end-user single-sign on.

The solution must be reliable (e.g. not lose password sync when a user is forced to change her Domain password on the road.) This is a small shop, so ease of administration is important.

The powers that be may rule out TrueCrypt because of its recent security vulnerability, but for the purpose of the question, I'd like to hear how well it meets these requirements. Same thing with BitLocker - it may be ruled out because of a lack of desire to upgrade Windows, but I'm interested in the job it does on Vista/Windows 7.

score 4 · Answer 1 · edited Jun 11 '20 at 10:02

Why, TrueCrypt!

Encrypts an entire partition or storage device such as USB flash drive or hard drive.

Using TrueCrypt Without Administrator Privileges

In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.

After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.

.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.

Domain access is after the pre-boot login.

However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.

score 2 · Answer 2 · answered Aug 04 '09 at 17:24

We use Guardian Edge Encryption Plus where I work. It's quite easy to use and has a single sign-on feature like you are looking for. I've set it up and used it on several laptops and am impressed with how non-interfering it is. Aside from the initial encryption, it's operation is rarely noticed and (in my experience) never impacted the overall performance of the system.

score 2 · Answer 3 · answered Aug 04 '09 at 18:51

We are using PGP Whole disk encryption where I work. I was not directly involved with the setup of it so I can't give you a lot of specifics. I do know that it is authenticating against our AD infrastructure, but it does not do single sign-on as the PGP layer happens at boot time before windows boots, and therefore before there is any windows network connectivity.

score 1 · Answer 4 · answered Aug 04 '09 at 20:33

1

We use Credant where I work. It's not very well liked, as the performance impact it has on the system is noticeable unless you negate it with a faster drive such as 7200RPM or SSD.

answered Aug 04 '09 at 20:33

churnd

4,237

score 1 · Answer 5 · answered Aug 05 '09 at 15:02

It might be useful to point out the products that were ultimately selected via the US Government's "SmartBuy" program. These products were selected to secure DAR (data-at-rest) and were all reviewed based on security needs, price, etc. From the agency's web site:

Products are:
* Mobile Armor LLC’s Data Armor
* Safeboot NV’s Safeboot Device Encryption
* Information Security Corp.’s Secret Agent
* SafeNet Inc.’s SafeNet ProtectDrive
* Encryption Solutions Inc.’s SkyLOCK At-Rest
* SPYRUS Inc.’s Talisman/DS Data Security Suite
* WinMagic Inc.’s SecureDoc
* CREDANT Technologies Inc.’s CREDANTMobile Guardian
* GuardianEdge Technologies’ GuardianEdge.

Conspicuously absent are: PGP WDE (I have a lot of respect for PGP, so I've no idea why they were omitted) and BitLocker (newer product, but deployable and manageable in enterprise environments, and very attractive with machines equipped with TPMs).

Also, I don't see mention of hardware-based solutions, like Seagate's Momentus FDE drive with management software by Wave Systems (or Secude's FinallySecure). New purchases could use these drives while existing machines used s/w-based FDE (I believe FinallySecure provides an integrated management for these mixed environments).

score 1 · Answer 6 · answered Aug 05 '09 at 16:22

We use BeCrypt DiskProtect, which met with the various requirements that were stipulated to us.

I actually work on two different systems / networks, both use BeCrypt. One uses single sign on (unless otherwise specified) and the other is not single sign on.

From a security point of view I beleive full disk encryption with single sign on is daft! Keyloggers, people watching what you are typing, the use of your standard password in all sorts of places mean that once they have one, they have full access to your "secure machine"

I can understand it from an ease and a user point of view, but I beleive having the seperate logons provide just that extra layer of security.

score 1 · Answer 7 · answered Aug 09 '09 at 17:33

We use SafeBoot at work, however I don't think it meets your AD requirements; it has its own server solution with userid/computer store (hence more admin overhead). Does have a list of who can boot each machine.

I find it slower than BitLocker and takes over the whole drive, MBR and all, which I hate, but no serious issues.

Windows XP Full Disk Encryption - What are the options?

7 Answers7