Re: [Fed-Talk] Army to Encrypt Computers
Re: [Fed-Talk] Army to Encrypt Computers
- Subject: Re: [Fed-Talk] Army to Encrypt Computers
- From: "Wm. Cerniuk" <email@hidden>
- Date: Sat, 26 Aug 2006 03:38:16 -0400
Greetings,
I would suggest that FileVault be used on the home directory. Then in
circumstances where other disks or removable media needs to be
AES-128 encrypted, store only encrypted disk images.
Encrypted disk images are painless to use. The easiest way is to
create an encrypted sparse image on a removable disk that is set to
something slightly less than the total disk size. Then open that
image, use it directly from the desktop, and it will expand to the
limit set.
Encrypting the entire disk can run into problems very quickly. For
example, many the methods of encrypting entire disks rely on 100%
disk data integrity. If one bit falters on disk, the entire disk is
corrupt rendering it useless to any disk/file recovery tool.
On the other hand, if FileVault is used, a corruption under one
user's home directory will not affect any other user's home directory
on that system. Storing multiple AES encrypted sparse disk images on
a single external disk (for example, per project) also presents
better data integrity/security in similar fashion. FileVaults and
AES encrypted sparse disk images can be backed up and restored
individually as well.
(actually, the FileVault is a sparse disk image)
Is there a benefit that outweighs the liability of encrypting the
entire disk?
Even my current (very Mac-positive) employer is having to make an
exception to our security policy for Macs, and there is a blanket
prohibition on using Macs outside of a physically secure area if
they have high-value data on them.
With AES 128 bit encryption seamlessly working on the user's home
directory and factor authentication with the inclusion of a CAC in
the Mac OS X system, there should not be any exceptions to be made. (?)
Very Respectfully,
Wm. Cerniuk
Project Manager / Sr. Systems Architect
Veteran's Affairs
877.529.5730 (toll free)
Time is Short, and the Water Rises
On 24 Aug 2006, at 5:00 PM, Amanda Walker wrote:
On Aug 23, 2006, at 3:49 PM, Jim Emmons wrote:
In a recent speech, the Army CIO/G6, LTG Steve Boutelle, said that
within
the next few weeks, all mobile computers (that are removed from
secure
areas) will need to have the data on the machine encrypted. The
approved
encryption software packages named are all Windows-based.
To meet this new requirement, is there any Mac-based (or further
*nix-based)
software available that has been approved? If so, where can we
get it, and
what are the costs?
I did some investigation of this on my last job (and remain
concerned with it at my current one--some of you might remember my
query about hardware drive encryption earlier this year). In my
previous dealings with LTG Boutelle's staff and CERDEC, while
they're fairly reasonable folks, it'll all depend on who needs to
sign off on what.
Right now there are three approaches that I know of:
FileVault: good protection, but only protects the home directory.
This may be sufficient for unclassified machines, but it's a
judgement call.
PGPDisk: now supports full disk encryption (good), but not on the
boot drive (bad). I gather from informal comments at the WWDC that
they're working on it for at least EFI-based Macs, but no idea when
they might ship something.
Hardware encrypted drives: there are a couple, but it's unclear how
compatible they are with Macs:
http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf
http://www.rocstor.com/index.cfm?fuseaction=Products.dspRocsafe
Probably not sufficient for a classified machine, but might be
enough for unclassified machines if they work with Macs.
It's a growing problem, and it's not just the Army. Even my
current (very Mac-positive) employer is having to make an exception
to our security policy for Macs, and there is a blanket prohibition
on using Macs outside of a physically secure area if they have high-
value data on them.
It would be great to have full disk encryption with two-factor
authentication (smart card, USB token, whatever), like can be done
on PCs...
Amanda Walker
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden