Full Disk Encryption – A (Close to Home) Case Study
This is a follow-up to my previous entry regarding full disk encryption (see: http://monead.com/blog/?p=319). In this entry I’ll look at Blue Slate’s experience with rolling out full disk encryption company-wide.
Blue Slate began experimenting with full disk encryption in 2008. I was actually the first user at our company to have a completely encrypted disk. My biggest surprise was the lack of noticeable impact on system performance. My machine (Gateway M680) was running Windows XP and I had 2GB of RAM and a similarly-sized swap space. Beyond a lot of programming work I do video and audio editing. I did not notice significant impact on editing and rendering of such projects.
Later in 2008, we launched a proof of concept (POC) project involving team members from across the company (technical and non-technical users). This test group utilized laptops with fully encrypted drives for several months. We wanted to assure that we would not have problems with the various software packages that we use. During this time we went through XP service pack releases, major software version upgrades and even a switch of our antivirus solution. We had no reports of encryption-related issues from any of the participants.
By 2009 we were focused on leveraging full disk encryption on every non-server computer in the company. It took some time due to two constraints.
First, we needed to rollout a company-wide backup solution (as mentioned in my previous post on full disk encryption, recovery of files from a corrupted encrypted device is nearly impossible). Second, we needed to work through a variety of scheduling conflicts (we needed physical access to each machine to setup the encryption product) across our decentralized workforce.
During the conversion we found two software products that would not work when installed on an encrypted drive. The first was an older version of Check Point VPN. Once upgraded, though, the new version worked fine.
The other software that did not work well when installed on an encrypted drive was HP ProtectTools. A follow-up with HP verified that this was a known issue. We have a mix of hardware and for our HP machines we simply do not install HP ProtectTools.
I am proud to report that by late 2009 we had met our objective of encrypting all our laptop and desktop machines. Our employees have not reported any performance or usability issues introduced by encryption.
If you are wondering, we chose to use TrueCrypt (truecrypt.org) as our encryption solution. It is open source, very well documented, with active development and support groups. It has a great set of features, including a traveler mode for removable devices that comes in handy when bringing encrypted devices to a machine that does not have TrueCrypt installed.
Some of our PCs have hardware-based encryption available. We decided to deploy TrueCrypt consistently so that we would not have multiple encryption strategies being employed.
For Blue Slate, the effort to get us to this point was absolutely worthwhile. Our clients expect us to ensure the privacy of their information at all times. Using full disk encryption is just another part of our security in depth approach to practicing due care regarding these assets throughout our organization.
Are you still considering a move to this type of solution? Do you have other experiences with the deployment of full disk encryption? If you have also rolled out such technology what went well and what was a challenge? What products are people using to support device encryption? I’m interesting in hearing from you on this very relevant topic.
Tags: data security, disk encryption, encryption, enterprise systems, full disk encryption, linkedin, mitigation, Security, vulnerability