digg

Facebook Connect Join Digg About

Windows Vista and the secret of full disk encryption

news.com.com Since most large shops are going to upgrade to Vista anyway, why not use your need for laptop encryption as a rationale to jump on the Windows Vista bandwagon in 2007? It's common wisdom to recommend waiting to upgrade to new operating systems while Microsoft "gets the bugs out." I don't think so. Here's my logic...

Who dugg this? Made popular Dec 14, 2006

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

58 Comments

show profanity settings
expand all
  • m3mn0n, on 10/12/2007, -2/+44I'm a firm believer in "1.0 has bugs... I'll pass" so no matter how convincing an article from this guy or anyone else , no way in hell I'm getting it before a patch is released.

    (not a Microsoft bash, I apply this to everything)
  • scrubadub, on 10/12/2007, -10/+37Truecrypt... opensource, more control/features, free, multiplatform
    I can recover a truecrypt partition if the host computer bites it hard with a linux boot disk. And when users forget passwords there HAS to be a way to recover from it / backdoor

    You really trust microsoft enough to encrypt your data?
  • saqib, on 10/12/2007, -3/+27The only justification that the article offers to use BitLocker is that since it comes with Vista for free one should use it. That is no justification!

    EFS came with WinXP for free so why isn't everyone using it? In fact I was talking with Security guru at Microsoft Consulting and he mentioned that even their group doesn't use EFS, instead they use Winzip with AES. :)

    Full Disk Encryption (Definition: http://www.full-disk-encryption.net/ ) is a serious business and care must be taken when implementing it. In fact most people who talk about FDE don't know the different between "disk encyption" and "full disk encryption", and that is why you will see TrueCrypt being recommended every time there is a mention of FDE. I don't know why people do that. TrueCrypt is not even a FDE product, even the author doesn't claim that.

    I have been working with FDE products for a long time. The chance of users locking themselves out are very high. In fact when implementing FDE we recommend use of secure network based backup for data recovery.

    The encryption products can be divided into following categories:
    1) File/Folder encryption (e.g. EFS)
    2) Encrypted File Vaults (e.g. TrueCrypt)
    3) Policy based encryption (e.g. Credant, or Pointsec PME)
    4) Full Disk Encryption (e.g. Pointsec or Utimaco FDE)

    Some users may need 1 or more of the above mentioned solutions.

    Any FDE implementation must support for secure data recovery, where it be through Challange/Response Password recovery or other network based means. See http://en.wikipedia.org/wiki/FDE
  • eplawless, on 10/12/2007, -5/+23So far, Vista's been pretty clean for me, I haven't run into any bugs at all after a few weeks of use and there haven't been any security vulnerabilities. I'm actually kind of terrified because if Microsoft got security right on an operating system the world might come to an end.
  • betasp, on 10/12/2007, -1/+14"Since most large shops are going to upgrade to Vista anyway, why not use your need for laptop encryption as a rationale to jump on the Windows Vista bandwagon in 2007?"

    ...because we are smart enough to realize that stability and compatibility are fundamental to productivity.
  • inactive, on 10/12/2007, -1/+13You dive right in. I'll watch.
  • Muti, on 10/12/2007, -0/+11I disagree with you. Have you ever hibernated your laptop? Do you use virtual memory (a page file)? If so, you've written raw memory to disk and stored it in plaintext. A full disk encryption solution will make sure that ALL data written to the hard disk is encrypted.
  • GliTCH82, on 10/12/2007, -2/+13"Vista seems to be extremely busy with the hard drive"

    That's because it's indexing. The code is actually quite efficient and the only thing I notice on my high-end system is the sound of drives clicking away, never a performance drop especially when I need it the most, but I would imagine that if I ran Vista on a laptop I would turn search indexing off.

    Indexing isn't always needlessly clacking away your drives either, it only kicks in heavily after it notices new files in a any user profile folder which it assumes are documents or media being created, copied or moved over. Once Vista's been on your computer for a few days and you get settled in, have all your software installed and everything, you'll barely notice it's there, and the benefit of course is obvious when you find what you want really quick from the Start menu.

    It could also be RAM. I have 2 GB so I would imagine Vista's not paging on my drive much, but I would think that with the bare 512 MB minimum, which is standard on a lot of laptops nowadays, those conditions are ripe for an ugly bottleneck.
  • FearlessFreep, on 10/12/2007, -1/+11This seems more like an Ad

    "You're going to use Vista anyway, do it now and get FDE rather than wait and spend extra"

    "Buy now and save!"
  • FearlessFreep, on 10/12/2007, -0/+9"Don't back doors defeat the purpose of proper encryption?"

    Unfortuantely, security + ease of use is a constant. Making it more secure increases the odds that the user will do something wrong.
  • ThirdPrize, on 10/12/2007, -3/+12Don't back doors defeat the purpose of proper encryption?
  • EXreaction, on 10/12/2007, -3/+10Did you know that Vista had open Beta and RC stages where many bugs were reported and fixed?

    Thought not...
  • GliTCH82, on 10/12/2007, -2/+8Windows 2000 user?
  • spoonyluv, on 10/12/2007, -1/+7Actually, its more of a case of someone using a cliche that doesn't really apply to the discussion just to sound intelligent.
  • ThirdPrize, on 10/12/2007, -1/+7@eplawless

    For these guys maybe.
  • sponeil, on 10/12/2007, -7/+12I installed Vista on my company laptop just to test our products on it. If I try to use sleep or hibernate, the system will hang about 75% of the time when I boot it back up. That's using the standard VGA driver. Using the only ATI driver I can get to install, it hangs 100% of the time.

    Vista seems to be extremely busy with the hard drive, and of course, laptops have very slow hard drives, which makes the system seem to crawl. The fan always runs on high now, and my battery life has been reduced considerably. Most of the software I've tried to run on it has worked, but it's much slower. Now that Vista is on it, I avoid using the laptop, so I'm less likely to spot bugs. ;-)
  • FearlessFreep, on 10/12/2007, -3/+8Is this a case of putting all your eggs in one basket?
  • syneo, on 10/12/2007, -0/+5> 2) Encrypted File Vaults (e.g. TrueCrypt)

    TrueCrypt is not only for encrypted file vaults. It can encrypt a partition or a whole disk (external USB hard drive etc). The only thing it does not directly is encrypting boot partition. However, you can sort of achieve that indirectly by encrypting a VMWare disk image.
  • GliTCH82, on 10/12/2007, -1/+6"the person whom is encrypting the volume is more likely to let them in through human error, than they are to break the encryption anyway. Full drive encryption would be nice, however the human factor in the equasion will need to be trained as well."

    I really have no idea what you're talking about, but I assume it has something to do with an unsecured password where it wouldn't matter if your drive was encrypted. That's ultimately not what encryption is for, it's for people who are worried about their laptop being stolen and even with a strong password, the thief/spy wouldn't be able to yank it out and find out what's on it.

    No one ever said that encryption is a full security solution, it's only one of many things you can and should do to protect your data.
  • thegreenone, on 10/12/2007, -4/+8Yeah, I have no plans to upgrade to Vista what so ever and I have free copy right here at work. In my mind I just don't see the point.
  • drFUNK, on 10/12/2007, -3/+7XP had developer beta testing. It wasn't open to regular consumers like vista's was.
  • gildude, on 10/12/2007, -3/+7Sure. We've been using it for months. It stores the recovery key securely in active directory (thus giving an enterprise recovery scenario without walking to each machine and saving off the key on some USB device or writing them down). Most of the other products either don't have a true enterprise "story", or require that you buy there server and console to do the management and escrowing of recovery keys.
  • supershawn, on 10/12/2007, -0/+4Just realize that, unless your hardware supports TPM (Trusted Platform Module) 1.2, you are not getting the full benefits of Bitlocker. Without TPM, you will have to rely on an external USB device to boot from to get true Bitlocker functionality.

    Hopefully Microsoft's inclusion of Bitlocker in Vista will force current encryption products (like PGP and SafeDisk) to open up to other OS's like Mac and Linux.
  • spoonyluv, on 10/12/2007, -2/+5FEAR or reading an article through your own filter?

    The truth is that many organizations own Vista through their EA/Software assurance and the upgrade cost does not involve a software component. In addition, the "$100 encryption software" tends to be consumer grade with no enterprise control or recovery mechanisms as those "little add-ons" can cost much much more.

    Retrain your staff? if you work in an IT shop and do not spend a part of your time working on understanding future platforms, you should be looking for another line of work. Configured properly, end users should not need retraining because they don't see the 'real' Vista, just like they don't see the 'real' XP or 2000 today.

    Hardware upgrades do present a challange, but laptop replacement cycles tend to be very short today so for a lot of companies this approach may present a viable option.

    No, I don't work for MS, I just prefer comments to include some real information.
    Paranoia and an agenda do not replace research and knowlege.
  • pardonmedoug, on 10/12/2007, -3/+6Huh, I thought CNet reviewers didn't take bribes. There goes that theory!

    Uh yeah, instead of buying a $100 piece of encryption software, buy a $700 OS the day it arrives on the market. Oh, and you'll probably have to upgrade if not replace most of your hardware. Oh, and you'll have to retrain your staff.

    But it's worth it because you're paranoid that someone will steal your company's data! FEARFEARFEARFEARFEARFEARFEARFEARBUYMICROSOFT
  • GliTCH82, on 10/12/2007, -0/+3"BitLocker is a good thing, but it doesn't protect you from 99.9% of attacks that involve malware, worms, or social engineering."

    Who said it did anything of the kind? It's mainly for protection against physical access and theft, which for many businesses is a real concern.
  • Muti, on 10/12/2007, -3/+6I think you missed the part where he said the recovery key is stored "securely". I imagine the recovery key is encrypted and requires a password or smart card to decrypt it before being able to use it for recovery.
  • GliTCH82, on 10/12/2007, -2/+5I don't know, I'm going on 3 weeks now and Vista is rock solid. I've been testing applications like Quickbooks 2006, Half-Life 2, Visual Studio 2005, SQL 2005 Developer, Photoshop.. whatever I throw at it, it seems to work and do it all at once without crashing at all. I've got more services loaded in here than I ever had with XP, I'm running 2 different sound chips at the same time, I have Aero turned on.

    I have even:

    - Installed a Logitech branded Widcomm Bluetooth stack meant for XP
    - Installed my Logitech G15 keyboard LCD driver meant for XP
    - Hacked a copy of Diskeeper 2007 Premium defragmentation software to remove an install condition which limited to XP, and had it work flawlessly in Vista
    - Have multiple Firefox extensions, Java, Flash, and Shockwave all working without a hitch in Aero
    - Installed Daemon tools for loading CD images
    - Have Beyond TV Link, iTunes 7, Orb, and Reason 3.0 with a Korg MIDI controller (driver for Windows XP) all working under Vista.

    I do all that, run whatever combination of applications I want, burn DVDs, watch TV, share files with my 360.. then at the end of the day, I hit my power button and in 3 seconds my computer goes to S3 standby (sleep).

    Next morning, I hit the spacebar and in about 5 seconds, Vista is ready to roll.

    This operating system is fantastic. With a fast system the advantage over XP becomes obvious, and you realize that XP on high-end computers was a bottleneck all on its own. Vista runs my machine faster than XP did.

    I understand how a lot of you are skeptical and given Microsoft's track record, I don't blame you, because I remember all the bugs XP had on its release. This is going to be different. If you're not buying it, just sit back and watch.
  • dpcamp, on 10/12/2007, -4/+6@sponeil

    I think it depends on the build you have. I had the same problems with older builds until i upgraded to RC1. it ran a lot smoother. I also noticed updating firmware on the motherboard sped things up too.
  • awasson, on 10/12/2007, -3/+5I have to agree with you here and who says they're going to upgrade to Visa next year or the year after? The industry is rife with large corps running anything from NT to Win98, to Win 2000 not to mention those who are only now getting Windows XP. Governments are the last ones to migrate and they have thousands of desktops.

    Workstations cost big money to acquire, setup and maintain. Visa is more demanding than XP which means in many cases it's a hardware and software upgrade. I don't think it will fit everyones 2007 IT budget unless with each copy of Visa comes with a free computer.

    That said, I'll have to have a Visa box for R&D
  • DigitalDud, on 10/12/2007, -0/+2US Government agency employees seem to have started a trend of taking confidential data home on laptops, and then getting them stolen. This is where something like Bitlocker shines.
  • gildude, on 10/12/2007, -4/+6Funny; we are getting ready to deploy Vista. Test images on RTM now, full deployment in 2008 with pilots next year. One of the reasons is BitLocker. But we are also going through a "oh crap, deploy something now!" and deploying one of the products mentioned in the article as a tactical solution as well. And like he says - with the intent of throwing it away later...
  • sfty, on 10/12/2007, -1/+3waiting for truecrypt vista release..
  • TexasCanuck, on 10/12/2007, -0/+2I know I'm probably going to get modded down for this, but I really don't understand what the big deal is... Mac's have supported encrypted volumes for quite some time now, and TrueCrypt is a great military-grade freeware encryption solution for Windows.

    Kudo's to MSFT for building this into the kernel finally, but it's kind of hard to get excited about something I've been doing for years now.
  • spoonyluv, on 10/12/2007, -1/+3The world is also filled with corporations that waited on old OSes for too long and suffered many of the consequences, the most expensive of which is usually ungrading when you have to rather than when you plan to.
    Finding out that you new LoB app won't work unless you upgrade your OS mid way during the project is very common and much more expensive than a controlled upgrade of laptops to a new platform.
  • GliTCH82, on 10/12/2007, -0/+1Actually, yes, I do trust Microsoft to encrypt my data. It takes a lot more effort for a small team of hackers to crack an AES encrypted volume than it would for the entire hacking community, or at least 90% of it, to crack Microsoft's licensing protection on their products. Their licensing has always been weak, and it's so blatantly obvious now I wonder if they don't actually do that on purpose, to get their software out WITHOUT alarming shareholders of the potential of lost profits.

    Plus, it was also stated by Microsoft that there are absolutely no backdoor activation methods to this level of encryption, so if you lose access to your own data you are genuinely *****. This is in contrast to what some of the open source crowd have been saying further up in the comments, regarding reset methods and such.
  • MioTheGreat, on 10/12/2007, -7/+8"I installed Vista on my company laptop just to test our products on it. If I try to use sleep or hibernate, the system will hang about 75% of the time when I boot it back up"

    You can blame the _incredibly_ ***** drivers from ATI for that (They're especially terrible for laptops!). I've narrowed it down to that, as everything else seems to be working fine.
  • GliTCH82, on 10/12/2007, -1/+2I cannot stress this enough. Any IT dependent or IT light business considering Vista as an upgrade for their infrastructure should do extensive testing first, but the same thing could be said for any system upgrade.

    If you are, however, running a network of 15-20 AutoCad 2006 workstations (2D modeling) at your office, on a Windows Server 2003 domain, with Outlook/Exchange, I will tell you right now Vista is ready to roll from day one.

    I think the main problems that will crop up from Vista are in the IT basic or IT strategic segments, where extensive backwards compatibility for the former or ultra-high availability for the latter have not yet been extensively tested and could have a negative impact on the firm.
  • Seta, on 10/12/2007, -0/+1@GLiTCH82

    Err, you got half of what I'm after I think... I'm suggesting that in the situations you specified, and if the user doesn't mind the overhead, it's just fine. However a large number of security breaches are user carelessness/caused to begin with.

    While this may help in the situation of a stolen laptop, the current implementation is entirely in software and without encryption/decryption specific hardware assistance, and since the bus connecting the hard drives (SATA/PATA) is pretty much the slowest bus in your entire system to begin with, the performance hit from the on the fly encryption/decryption will be too much of an annoyance to pretty much everyone else. Also, as mentioned in a previous post, laptop drives are already some of the slowest drives out there to begin with.

    I'm not saying the encryption itself is at fault at all, I agreed with Muti on that point, what I was pointing out was that, as useful as the feature may be when used correctly, that's not going to stop people from not turning it on at all, using weak passwords, or just infecting themselves with any number of trojans, viruses, spyware, malware, etc, and opening their computer up that way.

    The human factor I was referring to is just the user itself. The human factor in the security equation is the biggest security risk.

    My response was more of a "I agree, however what if..." response, not a "I think you're wrong because..." response.
  • CoolWind, on 10/12/2007, -0/+1Insurance industry employees and many others have had the same misfortune of carrying confidential data around on a laptop which can easily be stolen. Bitlocker is an obvious solution to this problem.

    Bitlocker is clearly better than truecrypt if your employees need to carry confidential data on their laptops. Once bitlocker is turned on, you don't have to worry about which directory the employee uses to store various files, because everything is protected.
  • Carbsumer, on 10/12/2007, -0/+1People make far too much of BitLocker. It only protects your data in very narrow circumstances--if your hard disk is stolen out of your computer. Or, if you add a PIN or USB startup key (that has to be entered each time you start your computer), you can protect yourself if either your disk or your whole computer are stolen.

    BitLocker is a good thing, but it doesn't protect you from 99.9% of attacks that involve malware, worms, or social engineering. It has a cost, too--your data is much more difficult to recover if something goes wrong. So, you'd better be confident in your backups.

    Here's an overview and setup instructions: http://www.vistaclues.com/bitlocker-overview/
  • GliTCH82, on 10/12/2007, -0/+1"Configured properly, end users should not need retraining because they don't see the 'real' Vista, just like they don't see the 'real' XP or 2000 today."

    It's almost as if a lot of IT staff believe there's nothing more to Vista than Aero.

    The first thing I'm going to do when I install Vista for my clients is turn off Aero. They can probably decide later on if they want it or not, but Aero for me is not a factor when weighing the benefits of a Vista upgrade.
  • noseeme, on 10/12/2007, -0/+1It doesn't matter when you buy a copy of windows, because the service packs are free anyways... Unless you want to wait around four to eight years for Windows Codename "Vienna".
  • Hungryhaney, on 10/12/2007, -1/+2"Since most large shops are going to upgrade to Vista anyway, ..."

    Really? I am surprised at that statement, so far the big shops I have talked to/heard from are NOT going to upgrade to Vista in the near future. Some don't even have it on their road maps yet.

    I don't think the poster is very realistic.
  • toxonix, on 10/12/2007, -4/+4Microsoft will never 'get the bugs out'. A piece of software as big as a windows release will be end-of-lifed way before they fix all of the outstanding issues.
  • inactive, on 10/12/2007, -2/+2"And when users forget passwords there HAS to be a way to recover from it / backdoor"

    TrueCrypt has this?!
  • FearlessFreep, on 10/12/2007, -5/+5"Did you know that Vista had open Beta and RC stages where many bugs were reported and fixed?"

    Didn't XP?
  • mike503, on 10/12/2007, -0/+0currently i use drivecrypt to encrypt my entire drive (OS included, it prompts after POST for the passwords)

    i wasn't aware that vista had total disk encryption like that. although with microsoft being hammered on by the government and having a bad reputation for some weird business practices, i might think twice before using their version of it ...

    however, i agree that full-disk encryption is EXTREMELY useful, and i would personally suggest that ALL machines everywhere - home, mobile, office, anything - be completely encrypted. it's not that you have something to hide necessarily, but you have financial data, IM logs, personal docs, etc... if your stuff was stolen, you can replace the hardware, but can you replace the damage to your reputation/privacy breach/etc?
  • Seta, on 10/12/2007, -4/+2@Muti

    ...and without dedicated hardware for the encryption/decryption a nice chunk of your drive performance will suffer because of the overhead needed for full software, on the fly encryption/decryption of a volume. If you don't care about the overhead, I agree with you.

    However if the person who's breaking into this system to begin with is determined to do so, the person whom is encrypting the volume is more likely to let them in through human error, than they are to break the encryption anyway. Full drive encryption would be nice, however the human factor in the equasion will need to be trained as well.
  • saqib, on 10/12/2007, -6/+4oh BTW I forgot to mention the following Slashdot artikle in my last post:

    http://ask.slashdot.org/article.pl?sid=06/10/20/2250246

    Titled " Why Not Use Full Disk Encryption on Laptops?"
  • Fetching more discussions...
    Show 51 - 58 of 58 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.