[FDE] compelling reason to do FDE in lieu of EFS?

[Michael Jardine]

Personally, I can't think of a compelling reason not to use Full Disk
Encryption. It takes the decision away from the user.   Even for the
tech-savvy user, why waste your time and energy putting together policies
for what to encrypt, and which temp files, and don't forget to flush the
cache?  It is far simpler to just encrypt the entire drive and be done with
it.  In an enterprise environment, the choice becomes even more obvious.  To
me, the only question is whether to use software-based FDE, or
hardware-based. 

 

 

Regards,

Michael

________________________

Michael Jardine

SECUDE IT Security - Seattle

 

From: fde-bounces at www.xml-dev.com [mailto:fde-bounces at www.xml-dev.com] On
Behalf Of Garrett M. Groff
Sent: Thursday, June 21, 2007 3:18 PM
To: FDE at www.xml-dev.com
Subject: [FDE] compelling reason to do FDE in lieu of EFS?

 

For the average standalone machine that is in need of adequate security (but
not military grade security), is there a compelling reason to use anything
beyond EFS (encrypting file system)? Before you answer, first, let's assume
that the EFS user in question understands that he needs to encrypt his
%temp% folder (or, better yet, all folders under %userprofile%), in addition
to the specific folders to protect that may reside elsewhere in the file
system. Let's also assume that he knows to encrypt his page file(s) (and
hibernation file, if applicable) as well. Isn't that pretty strong security,
assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient
entropy)?

 

Again, I realize that most users don't know to encrypt %temp% or their page
file, but again, for a more savvy user, wouldn't EFS provide a pretty high
level of security for data at rest?

 

- Garrett G.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.xml-dev.com/pipermail/fde/attachments/20070621/ba07bcd5/attachment.html