[FDE] Can you keep a secret? This encrypted drive can...

Saqib Ali docbook.xml at gmail.com
Fri Nov 3 16:01:27 MST 2006 

I compile a lot of software on my laptop, and I *certainly notice* the
difference between my office laptop (no encryption) and my travel
laptop (with FDE). The laptops are exactly the same, with the same
image loaded. The only difference is the FDE software that is
installed on the travel laptop.

That is why I did an analysis of various FDE solutions to find the
best one for my needs. The key thing I was interested was that it must
be AES 256, reasonably fast, inexpensive, and offer key recovery in
case of password loss.

The final outcome of the analysis is available @
http://www.xml-dev.com/blog/index.php?action=viewtopic&id=250

Compusec is great for home / personal use. It is cheap i.e. $0.00
(Free), and does not slow down the computer as much as the other
products. But that is because it only support 128 bit AES, which is a
major drawback as most enterprise settings require at least 256 bit
AES. Compusec also has a great online support forum where you can get
your questions answered by Compusec employees and other experienced
users.

I ended up purchasing both Utimaco and Pointsec. They are excellent
products. They both support AES 256. The downside is that they are
little bit expensive (Pointsec:$170 ; Utimaco:$200) and slow.

The best thing is they both offer great password / encryption key
recovery capabilities. You can create a recovery disk with both
products.

They also offer password recovery using Challenge / Response sequence,
where the IT Helpdesk can perform a Challenge/Response sequence with
the user to help them recover the password or reset it to a new one.
Off course Challenge/Response password recovery is the NOT most
secure, especially if the user is remote, but you have the option to
disable it on the laptop if you want.
.

saqib
http://www.full-disk-encryption.net


On 11/2/06, Alexander Klimov <alserkli at inbox.ru> wrote:
> On Wed, 1 Nov 2006, Saqib Ali wrote:
> > Well for one thing, any software based FDE is extremely slow, doubles
> > the file access times, and is a serious drain on the laptop battery.
>
> If a PC is used by an interactive user, it is irrelevant how much
> access time is increased, as far as the user cannot see a difference
> without a timer. Several times I have read that disk encryption is not
> noticeable. My own experience shows that I cannot notice any
> difference: emacs and pine respond immediately to every key-press if I
> use encrypted disk or not; firefox waits for data from network the
> same amount of time; mplayer does not drop frames with or without disk
> encryption; compilation of kernel takes some noticeable time with or
> without encryption, but I don't know how much exactly since I spend
> this time in some other program.
>
> I don't want to say that the difference is irrelevant for all uses,
> e.g., if one edits video with 2k resolution or hosts a busy database,
> they can see very real difference, but such use-cases are minority and
> they are not done on portable computers anyway.
>
> I guess many people here have tried full disk encryption for
> themselves, do you notice any difference in performance or not?
>
> --
> Regards,
> ASK
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>


-- 
Saqib Ali, CISSP, ISSAP
http://www.full-disk-encryption.net

More information about the FDE mailing list