Full Drive Encryption

Hello

Does anyone have an experience with drive encryption software? i am trying to source some software to encrypt around 80 laptops, i have came across a few so far, but wanted to get a feel for what people are using.

Also does the software you are currently using have a central management client?

We use Safeboot which has a central managment client, does the job well, sometimes too well if an account gets locked out...

We use TrueCrypt, no central management as far as I am aware so might not be right for your application

We use the PGP disk encryption product. I can't comment on it's management as I am just an end user of it but it seems ok and doesn't have to much of a performance impact as long as the laptops are a reasonable spec, (particular with respect to memory).

Ive just done the same process and decided to go with hardware encryption with seagate encyrpted hard disks provided by Dell with our new machines.

As my firm is in the process of a laptop refresh (over a period of time) and we dont require every laptop user to be encrypted. It seemed the best option.

All our current laptop fleet are arround 3-5 years old, IBM X41, R51 etc and they are extremely slow to the end user. Add the overhead of a software encryption product to an old flaky laptop and they become near unusable.

i tried safeboot (actually bought some licences for this) PGP, Safenet and a few others id recomend you do the same. Ofcourse you probably dont want to replace all your laptops so you cant go down the same route i did. But i was put off software encryption mainly by the performance on a aging laptop. I would have thought a newer laptop would be able to handle it much better.

Get a trial from the different vendors and test it out, i found there sales guys more than willing to give me a trial, demo there product and take me out to lunch etc.

I find Safeboot is the most common in an enterprise environment.

We use SafeGuard which is now a Sophos product (was Utimaco), centrally managed etc.

I've used Utimaco products for yonks in various guises on PDAs and laptops, and whilst I wasn't involved in choosing the product at my current place of work they decided to go with SafeGuard.

It's not bad, the downsides with it are the same as with all enterpise type products it seems, the good old challange response and pre boot authentication causes issues with some idiots, sorry I mean people

Where my other half works they use safeboot, she hates it. We had a new starter the other week who said they used safeboot in their old job and what were we using, he said he was glad it wasn't safeboot

Performance has been fine, there's no real difference once the initial full encryption process has completed, which takes around 3 or 4 houts for an 80 gig disk, scale up accordingly. However all these laptops are only a few years old, they are either Lenovo T60, X60 or X61 units.

I've also been asked to look at some 'stonewood flagstone' hardware encrypted discs, we need some new laptops and Lenovo are apparently offering these as an option. Got a chap coming down to give us some roadmap meeting next month so will see what they can do.

Hardware encrypted units potentially seem so much less hassle so I'm hoping they are actually decent!

UKDTweak said:

We use Safeboot which has a central managment client, does the job well, sometimes too well if an account gets locked out...

Click to expand...

We use Safeboot and one of our Clients use it. If you can, get the older version before Mcafee bout it and made it poo. If you can't then REALLY make sure you test it on your hardware properly. It killed dozens of our PCs due to various old hardware limitations (it was forced through w/o proper testing alas)

Other than that I would recommend it

- Pea0n

we use safeboot, becrypt and flagstone. When choosing encryption for laptops bare in mind if the laptops are going to be taken to other countries as if they are that will play a fairly major part as to what level of encryption you should legally use

Bry said:

we use safeboot, becrypt and flagstone. When choosing encryption for laptops bare in mind if the laptops are going to be taken to other countries as if they are that will play a fairly major part as to what level of encryption you should legally use

Click to expand...

Yup, we've got specific builds if the machines are being taken to places like China, don't want to go walking in there with an encrypted machine

So are you using the flagstone drives, are they any good?

Yea can't complain about them tbh. Users have 3 changes to enter a password if they forget it or lock themselves out they have to bring it back to us (remote workers) but, thats their own fault.
When compared to the likes of safeboot, while admittedly we r using an old version it is far superior. With flagstone you don't have to waste time encrypting the discs/partitions and we have had problems with safeboot on some of our newer dell e series laptops.
Saying that though flagstone is more expensive.
Tbh i would defo play with both systems or more and see how each one willa ffect your organisation

We're using DriveCrypt. Client-side product is good, but the back end admin tools are a bit crap for large deployments (1000+).

I seem to recall the website contained the line : "If James Bond had encryption software he would have the DriveCrypt Plus Pack." LOL

The other one we've got a few of (about 10) is CheckPoint FDE. Expensive but a bit more flexible then DriveCrypt, and doesn't require a dedicated server.

Bry said:

Yea can't complain about them tbh. Users have 3 changes to enter a password if they forget it or lock themselves out they have to bring it back to us (remote workers) but, thats their own fault.
When compared to the likes of safeboot, while admittedly we r using an old version it is far superior. With flagstone you don't have to waste time encrypting the discs/partitions and we have had problems with safeboot on some of our newer dell e series laptops.
Saying that though flagstone is more expensive.
Tbh i would defo play with both systems or more and see how each one willa ffect your organisation

Click to expand...

Cool, we've been encrypted on out laptops for about 15months now but just when Lenovo offered up these thought we best have a look. They are far too security concious at my place so they'll love them, plus being a local company in our region that suits the business model quite well of supporting local people

If they are that security concious I would assume they are using ironkey memory sticks if memory sticks are used at all?

im an end user of (mcafee) safeboot. didn't notice any performance degredation whilst it was performing the initial encryption, and i don't notice it's there day to day either. this is on a 3/4 year old p4m with 2 gigs memory and a 7200rpm drive. the password reset function is a pita, i liken it to manually activating a copy of xp...! other than that it seems to do the job. personally i would have preferred to see proper encrypted hardware, but thats just me!

Thanks for the comments.

I will take a look at the products above.

Most of the very large banks I have contracted in used SafeBoot, if that's worth anything to you

another vote for truecrypt but let it be known that most major full disk encryption is breakable ...but yes i know it can be hard to do so i just felt like reminding you

We use PGP to encyrpt our entire drives as well as emails. It's pretty good, I find the interface quite straight forward. We had a bit of problems a couple of months ago with some dell software on someones laptop that was stopping it from intercepting emails as they came in and decrypting them.

We use fairly high spec laptops so havent noticed a drop in performance.

The advantage of PGP (and maybe some other programs) is it has blackberyy and windows mobile versions which is handy for us.

Bry said:

If they are that security concious I would assume they are using ironkey memory sticks if memory sticks are used at all?

Click to expand...

Sadly not ironkey, using Sanctuary (or whatever it's called now, 'Lumension Device Control') to encrypt and control USB stuffs.