We recently fielded a few questions regarding a recommendation on a boot time whole drive encryption solution and want to take the opportunity to pass this information along.
QUESTION: For your mobile laptops/tablets, what encryption software (preferably free or reasonably priced) do you use to enable boot time whole drive encryption?
ANSWER: Well unfortunately it isn't free, but the price is quite reasonable to organizations looking to invest in managed security and encryption without taking on the burden of purchasing and maintaining an on-premise encryption management appliance. From our SSAE-16 / SAS70 audited data centers we run virtual managed security appliances from Symantec. From these we install and manage Symantec PGP Whole Disk Encryption. This level of encryption forces password authorization to boot the encrypted device. This prevents access to the boot tables and data from any prompt and protects the drive even if it is removed.
QUESTION: Does the software support the tablets that essentially have no physical keyboard and rely solely on the on-screen keyboard?
ANSWER: Yes our whole disk encryption does support on-screen keyboards as long as the keyboard is accessible at boot time. In most tablets with full operating systems this is a standard feature and does not require the OS to be booted to use the keyboard.
QUESTION: Finally, do you allow users to assign their own encryption password, do you require a certain complexity, or does IT know the password and have it on file (to avoid a user forgetting the password and completely locking usage of the hard drive)?
ANSWER: First, yes users are able to assign their own encrypted password. In Windows machines, we present clients the option to enable single sign-on between encryption and the local Windows password. So the user only needs to know one password to boot and login to Windows on an encrypted device.
Second, we do require a strong level of password complexity. While this can be adjusted to customer preference, it is recommended to use the combination of upper case, lower case, number, and special character.
Finally, we do not keep a list of passwords on our side nor do we recommend the password list be distributed on your side either. In the case of a forgotten password or a terminated employee we have two options for drive access:
- During the encryption setup the user must select from five security questions and provide answers. A user who forgets their password will be challenged all five passwords and must get them all correct then they will be presented with a password change screen; or,
- As a managed service we maintain an administrator override key which allows us to unlock the drive and/or reset encryption passwords.
FINAL THOUGHTS: One of the advantages of using a managed appliance based service is that it can be remotely installed and administered. As a part of our service we help setup and manage encryption policies as well as provide end-user support in the event of an issue.