[FDE] Can you keep a secret? This encrypted drive can...
curtw at siu.edu
curtw at siu.edu
Tue Nov 7 23:06:11 MST 2006
I believe pointsec can leverage existing auth stores; we'd had
some discussions internally and if I recall correctly they could
cache a credential from an AD domain. I don't know how it's
cached or stored, or what vulns that might be present there. I'm
putting in my evaluation for pointsec in the near future and we
will kick the tires.
---------Included Message----------
>Date: 7-Nov-2006 21:19:47 -0600
>From: "Saqib Ali" <docbook.xml at gmail.com>
>To: "Bryan Glancey" <bryan at mobilearmor.com>
>Cc: <fde at www.xml-dev.com>
>Subject: Re: [FDE] Can you keep a secret? This encrypted drive
can...
>
>Seagate encrypted HDDs and Vista Bitlocker is next on my list to
>evaluate. I will have to get a copy of Mobile Armor. The reason I
>didn't include them in my initial eval was that I didn't know of any
>large companies using that product.
>
>As far as I understand, Seagate's encrypted drives DO NOT impose any
>overhead, that is because it has an onboard ASIC that performs the
>crypto functions. Hardware encryptions are much much faster then
>software.
>
>Vista Bitlocker, a software based FDE solution, uses TPM to wrap and
>bind the encryption keys. Which make the key management easier
or more
>transparent to the user. But being a software solution, Bit Locker,
>will still impose considerable overhead. I will publish the results
>once I am done with the eval of BitLocker.
>
>One other reader emailed me asking about how TPM will effect the FDE
>solutions. So here are my thoughts....
>
>As far as the TPM is concerned, I don't think wrapping and
binding the
>encryption key using the TPM will impose any overhead, if
anything it
>will be faster and more convenient for the user.
>
>Some TPM manufacturers advertise bulk encryption capabilities in
their
>TPM chip, but that has yet to be exploited for FDE purpose.
>
>> Large Scale Management
>I will look into this.
>
>> Pre-boot authentication against RADIUS and other network based
>> authentication services
>Good point. I don't think there is any FDE solutions currently
>available that supports for network based auth services. Boot-loader
>should be small and simple to ensure security. Adding networking
>services might not be a good idea. Please correct me if I am wrong.
>
>saqib
>http://www.full-disk-encryption.net
>_______________________________________________
>FDE mailing list
>FDE at www.xml-dev.com
>http://www.xml-dev.com/mailman/listinfo/fde
>
>
---------End of Included Message----------
More information about the FDE
mailing list