[FDE] Intro and EFS as a viable FDE solution?
Curt Wilson
curtw at siu.edu
Wed Nov 8 09:40:37 MST 2006
Disclaimer: I'm not a crypto expert.
My understanding on breaking EFS was that the local Administrator
account was automatically a key recovery agent, and therefore if someone
can obtain the system, boot into a linux distro and edit out the
Administrator password, reboot, login as Administrator with the now
blanked out password, a recovery could be done that would then allow
decryption of any EFS contents. This leads me to believe that FDE is
the best way to go, because a bootable linux distro won't be of any use
to an attacker.
if you know otherwise, please let me know. I have not tested this
personally.
Mike Johnson wrote:
> Howdy all,
>
> Just found this list while looking for information about full disk
> encryption for an enterprise. We're approaching it as a two phase
> implementation, where the first phase may be tossed. We have a
> short-term need (mandate) to implement encryption on a few (about fifty)
> sensitive laptops. Long term, we want all our laptops encrypted.
>
> We're looking at EFS because, well, it's free. We've been doing
> research on it, its limitations and its weaknesses. Some of the
> weaknesses seem to go away once you implement it on domain resident
> systems. EFS may simply be a short term solution for us, but we're not
> sure how it'll scale/work across several thousand laptops.
>
> Has anyone on this list done FDE on a large scale?
>
> Oh, and, howdy. :)
>
> Thanks!
> Mike
> _______________________________________________
> FDE mailing list
> FDE at www.xml-dev.com
> http://www.xml-dev.com/mailman/listinfo/fde
--
Curt Wilson
IT Network Security Officer
Southern Illinois University Carbondale
618-453-6237
GnuPG key: http://www.infotech.siu.edu/security/curtw.pub.asc
More information about the FDE
mailing list