[FDE] compelling reason to do FDE in lieu of EFS?

Anderson, Jaired JWAnderson at mail.bokf.com
Fri Jun 22 08:14:52 MDT 2007 

It's my understanding that you can not encrypt system files (including the
page file) with EFS.

- Jaired

-----Original Message-----
From: fde-bounces at www.xml-dev.com [mailto:fde-bounces at www.xml-dev.com] On
Behalf Of fde-request at www.xml-dev.com
Sent: Friday, June 22, 2007 12:06 AM
To: fde at www.xml-dev.com
Subject: FDE Digest, Vol 9, Issue 13

Send FDE mailing list submissions to
	fde at www.xml-dev.com

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.xml-dev.com/mailman/listinfo/fde
or, via email, send a message with subject or body 'help' to
	fde-request at www.xml-dev.com

You can reach the person managing the list at
	fde-owner at www.xml-dev.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of FDE digest..."


Today's Topics:

   1. compelling reason to do FDE in lieu of EFS? (Garrett M. Groff)
   2. Re: compelling reason to do FDE in lieu of EFS? (Patrick Cahalan)
   3. Re: compelling reason to do FDE in lieu of EFS? (coderman)
   4. Re: compelling reason to do FDE in lieu of EFS? (Michael Jardine)
   5. Re: compelling reason to do FDE in lieu of EFS? (Scott S)


----------------------------------------------------------------------

Message: 1
Date: Thu, 21 Jun 2007 18:17:32 -0400
From: "Garrett M. Groff" <groffg at gmgdesign.com>
Subject: [FDE] compelling reason to do FDE in lieu of EFS?
To: <FDE at www.xml-dev.com>
Message-ID: <007201c7b451$f75e94f0$1e6b880a at softpro.corp>
Content-Type: text/plain; charset="iso-8859-1"

For the average standalone machine that is in need of adequate security (but
not military grade security), is there a compelling reason to use anything
beyond EFS (encrypting file system)? Before you answer, first, let's assume
that the EFS user in question understands that he needs to encrypt his
%temp% folder (or, better yet, all folders under %userprofile%), in addition
to the specific folders to protect that may reside elsewhere in the file
system. Let's also assume that he knows to encrypt his page file(s) (and
hibernation file, if applicable) as well. Isn't that pretty strong security,
assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient
entropy)?

Again, I realize that most users don't know to encrypt %temp% or their page
file, but again, for a more savvy user, wouldn't EFS provide a pretty high
level of security for data at rest?

- Garrett G.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.xml-dev.com/pipermail/fde/attachments/20070621/8c9b5526/attachmen
t-0001.html 

------------------------------

Message: 2
Date: Thu, 21 Jun 2007 16:40:59 -0700
From: Patrick Cahalan <psc at cs.caltech.edu>
Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS?
To: fde at www.xml-dev.com
Message-ID: <467B0C8B.3030705 at cs.caltech.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

> Again, I realize that most users don't know to encrypt %temp%
> or their page file, but again, for a more savvy user, wouldn't
> EFS provide a pretty high level of security for data at rest?

Don't forget exception modes, even for "savvy" users.  People,
for the most part, know that they should take steps to secure
their data, but it's difficult to do manually.

For example, would you want your enterprise to rely upon manual
*backups*?  Savvy sysadmins would know that they had to run the
backups on the appropriate day, archive the media properly, etc.
  Bet you dollars to donuts that when the day comes that you need
to restore something from tape, you discover that performing
backups just kept drifting down the priority list...

With paranoid enough users, there's plenty of solutions out there
(you don't even need to use an encrypting *file system*, just
pgp-encrypt the appropriate files, for example, and you can get
rid of the page file entirely by just adding more RAM to a
machine).  The problem is, for almost all groups of users
(including groups of 1), there's members of the group who aren't
paranoid enough.


------------------------------

Message: 3
Date: Thu, 21 Jun 2007 18:21:07 -0700
From: coderman <coderman at gmail.com>
Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS?
To: fde at www.xml-dev.com
Message-ID:
	<4ef5fec60706211821q29eee7b0x539dcf1e80c49d4 at mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 6/21/07, Garrett M. Groff <groffg at gmgdesign.com> wrote:
> ...
> [ encrypted %temp%, %userprofile%, hibernation store, etc ]
> ... wouldn't EFS provide a pretty high level of security for data at rest?

consider that while data is at rest, the encryption program for access
to the EFS is modified to copy keys to unused partition space which
can be scavenged later or delivered via networked malware.

the big benefit of FDE over EFS is that FDE protects the integrity of
the entire drive while at rest, including operating system and
utilities.  you need to couple this with good host security (an owned
machine cannot be trusted with keys) to be effective, but it is still
a significant benefit.

best regards,


------------------------------

Message: 4
Date: Thu, 21 Jun 2007 20:07:59 -0700
From: "Michael Jardine" <michael.jardine at usa.secude.com>
Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS?
To: <fde at www.xml-dev.com>
Message-ID: <055f01c7b47a$8ab81c80$a0285580$@jardine at usa.secude.com>
Content-Type: text/plain; charset="us-ascii"

Personally, I can't think of a compelling reason not to use Full Disk
Encryption. It takes the decision away from the user.   Even for the
tech-savvy user, why waste your time and energy putting together policies
for what to encrypt, and which temp files, and don't forget to flush the
cache?  It is far simpler to just encrypt the entire drive and be done with
it.  In an enterprise environment, the choice becomes even more obvious.  To
me, the only question is whether to use software-based FDE, or
hardware-based. 

 

 

Regards,

Michael

________________________

Michael Jardine

SECUDE IT Security - Seattle

 

From: fde-bounces at www.xml-dev.com [mailto:fde-bounces at www.xml-dev.com] On
Behalf Of Garrett M. Groff
Sent: Thursday, June 21, 2007 3:18 PM
To: FDE at www.xml-dev.com
Subject: [FDE] compelling reason to do FDE in lieu of EFS?

 

For the average standalone machine that is in need of adequate security (but
not military grade security), is there a compelling reason to use anything
beyond EFS (encrypting file system)? Before you answer, first, let's assume
that the EFS user in question understands that he needs to encrypt his
%temp% folder (or, better yet, all folders under %userprofile%), in addition
to the specific folders to protect that may reside elsewhere in the file
system. Let's also assume that he knows to encrypt his page file(s) (and
hibernation file, if applicable) as well. Isn't that pretty strong security,
assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient
entropy)?

 

Again, I realize that most users don't know to encrypt %temp% or their page
file, but again, for a more savvy user, wouldn't EFS provide a pretty high
level of security for data at rest?

 

- Garrett G.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://www.xml-dev.com/pipermail/fde/attachments/20070621/ba07bcd5/attachmen
t-0001.html 

------------------------------

Message: 5
Date: Thu, 21 Jun 2007 18:45:00 -0700 (PDT)
From: Scott S <scott at u.washington.edu>
Subject: Re: [FDE] compelling reason to do FDE in lieu of EFS?
To: fde at www.xml-dev.com
Message-ID:
	<Pine.LNX.4.64.0706211823040.28701 at dante02.u.washington.edu>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

Just to add to the comment below, there are also applications in which the 
default user file locations are not "my documents" but somewhere in the 
application directory under "program files". For example, Lotus Notes puts 
the user's locally replicated email in its directory and so does Palm's 
HotSync replications.

So in addition to the typical user specific directories and temp 
directory, you would have to track down each application and encrypt their 
directories if they have sensitive data. As you can see, things can get 
complicated. The simple solution would be to secure the entire drive.

FDE is not a solution that addresses all the issues related to data 
security, but when the drive is lost or stolen, it is the best thing to 
have.

Scott

On Thu, 21 Jun 2007, Patrick Cahalan wrote:

>> Again, I realize that most users don't know to encrypt %temp%
>> or their page file, but again, for a more savvy user, wouldn't
>> EFS provide a pretty high level of security for data at rest?
>
> Don't forget exception modes, even for "savvy" users.  People,
> for the most part, know that they should take steps to secure
> their data, but it's difficult to do manually.
>
> For example, would you want your enterprise to rely upon manual
> *backups*?  Savvy sysadmins would know that they had to run the
> backups on the appropriate day, archive the media properly, etc.
>  Bet you dollars to donuts that when the day comes that you need
> to restore something from tape, you discover that performing
> backups just kept drifting down the priority list...
>
> With paranoid enough users, there's plenty of solutions out there
> (you don't even need to use an encrypting *file system*, just
> pgp-encrypt the appropriate files, for example, and you can get
> rid of the page file entirely by just adding more RAM to a
> machine).  The problem is, for almost all groups of users
> (including groups of 1), there's members of the group who aren't
> paranoid enough.
> _______________________________________________
> FDE mailing list
> FDE at www.xml-dev.com
> http://www.xml-dev.com/mailman/listinfo/fde
>


------------------------------

_______________________________________________
FDE mailing list
FDE at www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde


End of FDE Digest, Vol 9, Issue 13
**********************************

**********************************************************************
The company reserves the right to amend statements made herein in the event of a mistake. Unless expressly stated herein to the contrary, only agreements in writing signed by an authorized officer of the Company may be enforced against it. 
**********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.xml-dev.com/pipermail/fde/attachments/20070622/dce5604f/attachment-0001.html

More information about the FDE mailing list