One problem I've found with TrueCrypt in within our particular setup appears to be related to roaming profiles.
One feature of TC is the ability to set Favorites. This allows you to have TC try to mount favorite file containers. This means the user doesn't have to find the container/partition manually. This works fine except on our laptops when not connected to the domain. It appears that TC stores it's favorite information in Documents & Settings and cannot find the info it needs when offline. Since the main reason for using TC is to encrypt data being transported away from the network, this is pretty annoying.
Has anyone else come across this and solved it?
As I understand it, the password relates to the volume header and you can make header backups. This means you can have more than one password, as long as you have the corresponding header.
This is what they say "After you create a volume, back up its header to a file (select Tools -> Backup Volume Header) before you allow a non-admin user to use the volume. Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key with which the volume is encrypted. Then ask the user to choose a password, and set it for him/her (Volumes -> Change Volume Password); or generate a user keyfile for him/her. Then you can allow the user to use the volume and to change the password/keyfiles without your assistance/permission. In case he/she forgets his/her password or loses his/her keyfile, you can "reset" the volume password/keyfiles to your original admin password/keyfiles by restoring the volume header from the backup file (Tools -> Restore Volume Header)."
After testing TC I find that there can only be one password in use at a time. When the hard drive is encrypted a backup of the header is made which will allow the original password to be reinstated if a user has subsequently change it.
So in a nutshell, regardless of what the current password is the HD can be ‘unlocked’ as long as you have the original password and the backup CD that was made at the time the HD was encrypted.
After a practice run on a spare laptop TC seems straight forward to use and we plan to encrypt all staff laptops before the report session starts this year.
We use CompuSec for laptop encryption. It's free and does what it says on the tin. Make sure you disable it's "Single Sign-On" feature though, as this can remember your domain account log-in which can cause user confusion with password expiry policies. You can set a master password, and the password screen users see immediately after switching on can be customised.
As for USB sticks, I think we're going for Kingston's Enterprise DataTraveller sticks, supposedly for ease-of-use, but I haven't played with one yet so don't know if it's any good.
Our school has also been advised to use TrueCrypt. Does anyone have guidelines on how to use this product?
With regards to TrueCrypt and full laptop hard disk encryption, could we encrypt each hard disk using the same password and use a single rescue cd or is the rescue cd going to need creating for every laptop?
We have nearly 100 laptops and i don't really want to have to store all of the cd's for them.
Any tips would be appreciated as we are looking at implementing this if we can make it work for us.
One other thing to ask on the topic. Do you guys have a policy that staff do not use any memory sticks other than those supplied by the school? How do you enforce this? I don't like to mess about with staff owned equipment as i will not take responsibility for any damage.
Do any of you use any products that prevent usb from being used or restricted to those allowed? Is that even doable?
Thanks for the info in this thread so far, has been useful :D
The big players in the encryption market are (in no particular order);
Sophos (formerly utimaco)
Mcaffe (formerly safeboot)
TrueCrypt is overkill for our requirements here, and would likely lead to as many problems as it solved. What else do people use, ideally which is also Mac compatible?
i think you have to compromise when it comes to encryption. There are tons of folder and file level encryption apps around that will secure files on demand. They work fine for a few files but take ages for larger amounts of data. Truecrypt is very fast but it does have the whole mounting'/container thing and a level of complexity for users which might not suit other situations.
One thing that is interesting....people don't seem to be pushing EFS in these sorts of discussions. I'd be interested to know if people are use it. I've been reading up on it a bit. Clearly it can be very convenient for users as it's transparent and pretty quick. I've read of a number of vulnerabilities in Win2000 which appear to have been fixed for XP even on standalone machines. As long as the user has a decent password it sounds quite secure even on a laptop with a roaming profile sitting on it. Or is that not right?
I've just noticed that TrueCrypt has a Mac version - could that be used in tandem with the Windows one, i.e. encrypt a file/volume on Windows and decrypt it on a Mac?