[FDE] Intro and EFS as a viable FDE solution?
Saqib Ali
docbook.xml at gmail.com
Wed Nov 8 17:28:44 MST 2006
Mike,
I make a clear distinction between the following 3 type of data
encryption solutions that are available for laptops:
1) File/Folder level encryption (e.g. EFS)
2) Encrypted File Vaults
3) FDE
One solution can not substitute the other. Infact in some case you
might need (#3 AND (#1 OR #2)). FDE is only good when the laptop is in
a off line mode. Once you boot the laptop FDE is pretty much useless,
i.e. all data is in a de-crypted mode, and can be accessed from the
network. Whereas File/Folder level encryption protects the data from
network based attacks even after the laptop has booted.
CA SB 1386 Senate Bill essentially gives you "get-out-of-jail-free"
card if you use *any* type of reasonable encryption. However, on the
hand, Presidential mandate M-06-16 requires encryption of *All Data*,
including OS, Temp files, swap space, etc., on agency laptops. See:
http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf
Full disk encryption has several benefits compared to regular
file/folder encryption or encrypted vaults. The following are some
benefits of full disk encryption:
1. Everything including the swap space and the temporary files are
encrypted. Encrypting these files is important, as they can reveal
important confidential data.
2. With full disk encryption, the decision of which files to encrypt
is not left up to users.
3. Support for pre-boot authentication.
Just my thoughts....
saqib
http://www.full-disk-encryption.net
More information about the FDE
mailing list