Encryption technologies

[support]

Lots of experience with them:)

For my customers that are security aare and take their laptops with
them, I recommend Sony Vaios which have the capability to have 
hardware  encryption that is transparent to the user.  This means that
effectively if the laptop is stolen/lost, the data is secure. Ideally,
it should mean that people don't bother to steal them, but unfortunately
Vaios are nice PCs, and not everyone implements he encryption:(.....so 3
Vaios lost by my customers in the past 2 years.

Next area are those that creat an encrypted partition or file. These are
great for providing a high level of security - Always go for full drive
encryption if security is an issue, ...remember that temp files get
created! This software includes the likes of TrueCrypt, BestCrypt etc.
which can be provided to individual 'containers' in which you store your
files. The encryption technology of these is well understood, and often
modular, so you can change the level/complexity/robustness of the
encryption that you use, or comply with  local legislative  requirements
with respect to encryption.  Many  of these solutions provide 'plausible
deniability' , in that you can deny that the  encryptio even exists, so
that even under duress, ou can deny the existance of the encrypted
items. These solutions are often cross platform compatable, soyou can
read them on *nix/doze systems. Main disadvantage is potential key
weakness (human factor), and the fact that there is normally only a
single 'key' to unlock the encryption. Incidentally, encryption
technologies can be difficult to implement on a linux platform, unless
avilable with the distribution concerned due to integration required
with the kernel/other dependencies required. If you're cofortable
building kernels, then you shouldn't have a problem, although it might
be a bit fiddly.

Next, and my preferred securing mechanism for linux systems that do not
have ample physical security is LUKS. The great advantage of this is
multiple keys available for unlocking the protected media. It's robust,
reliable, and relatively easy to implement, with the option of addition
of administrative keys which can be secured in a safe in the event the
the pass holder is not available after some random reboot/hardware
issue. Unfortunately, as far as I'm aware, LUKS is still *nix only.
However if you don't require the multiple password control, then any of
the true/best crytp type solutions willbe more than adequate for most
people.

Of course, having an encypted filesystem makes data significantly more
complex to access. If something goes wrong with the encryption, then
forget trying to recover the data.....so a good backup policy is a must!

For Windows, you have the 'Secure Safe' functionality, which whilst it
probablyis secure(ish), hasn't been opened up to peer review, so I guess
it depends whether you trust M$ programmers? There's also the Encrypted
Filing System (EFS), which is probably secure....but who knows whether
there is a M$ back door....no independent peer review of the coding. I
know what I'd prefer to use to protect my data.

I use various solutions for attacking this type of password protected
item, and normally the ones that don't stand up to an attack fail due to
human choice of password. Always get a computer to pick it for average
users, or protect it wit ha USB key+passphrase. My master passphrase is
pretty big....but extremely easy to remember.

I'd welcome other people's views on the encryption that they use.

Ooooooooh - This is scary.....the CLUG mailing list has some traffic on it!!

Regards

Peter

Dom Latter wrote:

> > Anybody got experience of using encrypted filesystems?
> >
> > There seem to be many different systems available.
> >
> > Which ones go up to eleven and which ones are only eleven inches high?
> > _______________________________________________
> > CLUG mailing list
> > clug at cambridge-lug.org
> > Website: http://www.cambridge-lug.org
> >   
>