Windows Thread, USB Encryption in Technical; We are looking into the possibility of providing staff with encrypted USB sticks as its been a long term concern ...
We are looking into the possibility of providing staff with encrypted USB sticks as its been a long term concern of mine and it looks like I have managed to convince the SLT to back the idea.
I have tested and currently use TrueCrypt myself, althought it will be a pain to setup initially its free which is a bonus.
I'm also looking at the posibility of just providing staff with ready encrypted drives such as the Integral Crypto Drive. I got one to test and I can't get the bloody thing to work on any domain workstation or laptop.
No such issue with non domain machines, error meessage tells me I'm not a privileged user on the machine even though I log with domain admin privileges.
Anyone else had this issue or know what could be causing this?
My view was that hardware encrypted drives take too long to access - the quickest I got was 9 seconds, more than that on older machines - and I just don't think teachers would tolerate that.
We've gone for TrueCrypt containers on their pen drives, as this is free, allows them to use their chosen drive and means they only need to have any faffing around if they actually want to store something securely (which 9 times out of 10, they don't anyway). This isn't technically the best solution, but I think it is the one most likely to work, and is therefore the most secure in my view.
My view was that hardware encrypted drives take too long to access - the quickest I got was 9 seconds, more than that on older machines - and I just don't think teachers would tolerate that.
We've gone for TrueCrypt containers on their pen drives, as this is free, allows them to use their chosen drive and means they only need to have any faffing around if they actually want to store something securely (which 9 times out of 10, they don't anyway). This isn't technically the best solution, but I think it is the one most likely to work, and is therefore the most secure in my view.
Can't say I've noticed much difference in performance when using the pre encrypted pen but then again it wasn't like I was saving huge files to it.
I'm more interested in tryning to find out why I can't get the bloody thing to work on a domain machine!!
TrueCrypt in Traveller Mode with encrypted USB pens does seem like the best way forward, can't say I am looking forward to setting up all those USB pens though!
We are looking into the possibility of providing staff with encrypted USB sticks as its been a long term concern of mine and it looks like I have managed to convince the SLT to back the idea.
I have tested and currently use TrueCrypt myself, althought it will be a pain to setup initially its free which is a bonus.
I'm also looking at the posibility of just providing staff with ready encrypted drives such as the Integral Crypto Drive. I got one to test and I can't get the bloody thing to work on any domain workstation or laptop.
No such issue with non domain machines, error meessage tells me I'm not a privileged user on the machine even though I log with domain admin privileges.
Anyone else had this issue or know what could be causing this?
I contacted Intergral Support over this, they tell me its down to an old version of their software. Replaced the stick with a new one, problem disappeared.
TrueCrypt in Traveller Mode with encrypted USB pens does seem like the best way forward, can't say I am looking forward to setting up all those USB pens though!
How about creating a 500MB container with a default password, then copying that onto all the pen drives? It would obviously be less secure than having individual passwords, but not massively so, since the main "threat" we're trying to protect against is outsiders who find the drive lying around, not other teachers anyway.
We've gone for TrueCrypt containers on their pen drives, as this is free, allows them to use their chosen drive and means they only need to have any faffing around if they actually want to store something securely (which 9 times out of 10, they don't anyway). This isn't technically the best solution, but I think it is the one most likely to work, and is therefore the most secure in my view.
This is the route I'm planning on going. Backed up with a good policy in the staff handbook, and some INSET training from me! The key message being if staff lose a memory stick/USB drive and the personal data is in the encrypted part they're in teh clear. If they lose it, and personal data is not encrypted they face the consequences!
@joe90bass - Exactly. Let's be honest, we can't actually stop staff connecting personally-owned non-encrypted drives anyway, so at the end of the day, it all comes down to trusting the staff to adhere to the policy which has been explained to them (and publicly roasting those who don't!)
I didn't mean a delay when saving stuff, I meant a delay in between plugging it in and actually being able to open a file off it.
I see, just tried it now and your right there is a delay on the hardware based drives, can't believe I didn't notice that before!
Originally Posted by robk
I contacted Intergral Support over this, they tell me its down to an old version of their software. Replaced the stick with a new one, problem disappeared.
Is it a old stick you are testing with?
The stick is probably between 4 and 6 months old I think. Did Integral replace the stick for you?
Originally Posted by enjay
How about creating a 500MB container with a default password, then copying that onto all the pen drives? It would obviously be less secure than having individual passwords, but not massively so, since the main "threat" we're trying to protect against is outsiders who find the drive lying around, not other teachers anyway.
I was thinking along the lines of encrypting most of the drive and leaving just enough space to install TrueCrypt in Traveler Mode.
Having individual passwords is an issue and will be a PITA to setup a common password although less secure as you said might be the best way forward.
Would be interesting to hear how others have tackled this issue.
Originally Posted by joe90bass
This is the route I'm planning on going. Backed up with a good policy in the staff handbook, and some INSET training from me! The key message being if staff lose a memory stick/USB drive and the personal data is in the encrypted part they're in teh clear. If they lose it, and personal data is not encrypted they face the consequences!
Training and explanation for the action is definitely a priority here too, shudder to think how many members of staff will just unplug the drive before dismounting it!
I was thinking along the lines of encrypting most of the drive and leaving just enough space to install TrueCrypt in Traveler Mode.
Our reasoning against that was to make it as hassle-free as possible. If say half the drive is encrypted, then they can encrypt sensitive stuff when needed, but when they just want to stick a PowerPoint on it or whatever, they don't have to do anything extra. Minimum impact was the name of the game, but this does come at the expense of an increased risk - we deemed this acceptable, you might not.
Whatever exact permutation you settle on, the key thing is to get the buy-in of all staff, so they understand why it should be done and therefore make the effort to do it; also the buy-in of SLT to roast those people who don't.
The way I did it was to copy the TrueCrypt portable mode files to an empty key. I also created a folder named SecureData at the root of the key. Then I edited the autorun to label the drive *Name's*Drive (and set a pretty icon which I put in the TrueCrypt folder) and mount an encrypted file named School in the SecureData file. Then I hid both the folders, wrote a batch file to open TC and mount School (in case the "What do you want to do?" box didn't appear). For some reason that I forget I converted the bat to an exe and set a suitable icon. Then I wrote instructions and stuck a copy on the drive. Also if you actually create the file (just do a small one and subsequently delete it) it seems to cache the path details, making the next step easier.
I saved the lot in a folder named TrueCrypt on a spare drive. Each time I need a new key, I just copy the folder's contents (2 hidden folders, autorun, exe + instructions) to it and use TC (from the "new" key) to create the encrypted file named School in the SecureData folder, using as much free space as I dare. If you have identical keys it makes the job much easier.
@joe90bass - Exactly. Let's be honest, we can't actually stop staff connecting personally-owned non-encrypted drives anyway, so at the end of the day, it all comes down to trusting the staff to adhere to the policy which has been explained to them (and publicly roasting those who don't!)
You can is using Windows Vista or 7, there are also tools that IBM put out (pay for) that let you enforce encryption on an removable data drive using GPO. We have not gone this far but have got full encrytion onall the laptop hard drives and tell them to use only those with offline file sync for sensitive stuff. If they put it on a USB key and access it on a home machine all bets are off anyway as there home machine could be compromised.
LinkBack URL
About LinkBacks
Originally Posted by enjay 
I see, just tried it now and your right there is a delay on the hardware based drives, can't believe I didn't notice that before!
