new laptop and encryption options

debitcardmayhem

Have a read of this http://lifehacker.com/five-best-file-encryption-tools-5677725/1685273934

securityguy

If you combine Bitlocker and a TPM it provides a stronger home for the encryption key.

Bitlocker works by encrypting the disk with a random key, and then encrypting that key with your passphrase. If it didn't work like that, you wouldn't be able to change your passphrase without re-encypting the whole disk. With a TPM, the encrypted key is stored in the TPM, which has a variety of benefits. Without a TPM, the encrypted key is stored in a special part of the disk. Bitlocker plus a TPM is assurable to at least IL3 and possibly IL4 for government data. Without a TPM, the key material needs to be separated onto a USB stick (which is a pain for most use) for anything above IL2.

Your company records would be IL2. Data protection legislation requires appropriate technical controls, and messing about with the technology (which is meaningless without all the associated process and audit) required for higher impact levels is both unnecessary and pointless unless you have very specific requirements. Full disk encryption with a passphrase is more than adequate for anything that is not protectively marked.

The advantage of using a TPM is that an attacker who steals your laptop cannot attempt a brute-force attack on your passphrase, as the encrypted version of the key is protected by the TPM which makes such an attack infeasible. Provided you use a strong passphrase, this isn't a huge advantage. The TPM also avoids some other attacks, which aren't realistic against the adversaries you face.

Bitlocker is pretty decent, as is Apple's Filevault equivalent. Unless you face state actor adversaries, those systems plus a decent passphrase are good enough for anything unclassified.

saving_pennies

Hi guys,

I really appreciate all the useful advise you are giving me.

Business laptops seem the way to go. Yesterday I had a look at both Dell and Levono professional laptops yesterday which both have TPM. I also looked on Novatech website as a friend recommended them. They have professional laptops with TPM however I am not sure what their reputation or after sales is like. Does anyone know?

My previous laptop has come from Microlink who supplied accessible software I use. They sale Satellite Pro so I am considering this. Only downside is they sale it with Windows 8 (I can upgrade to 8 pro) and everyone I know advises to avoid Windows 8 and stay with 7 or 10. I know I can do a upgrade to Windows 10 but I am now wondering if I should wait for this as apparently some of my accessibility software may not work on Windows 10 for a few more months yet.

I have never used Windows 8 so will be doing some more googling today to find out more about it. I will also follow up on links/software mentioned in your posts.

As for company/organisation providing equipment - my situation is a little complex in the sense that I am both the employer in one area and in another area I work for an agency. Longer term my plan is to be start up as self employed. Therefore the data processed is my responsibility hence me taking time to research the data security.

Thanks again everyone

S0litaire

If you have the choice, Stick with Win7 for business laptops. You can decide on the Win10 upgrade later.

Side Note:
I'm going to be playing around with Disk encryption later this week. Got a Hardware USB security key arriving in a few days. So I'll be testing it with a Win7 install on my PC and a Linux install on a laptop.

It's called "Yubikey Neo" it looks like a USB memory stick but can generate "Second Factor Authentication" codes for things like Google and Keypass (if you have the proper settings tuned on for these services.)

You can also use it to store a large randomly generated password, so you can use it to log into an encrypted PC instead of manually entering a password. (and put it into password protected screen-saver mode if you remove it.)

bit of marketing gumph! :
https://www.yubico.com/why-yubico/for-individuals/

ChiefGrasscutter

All these secondary key type with some special file on them dongle thingy's suffer from the same weak spot.
They will, sooner or later, either break down/fail or will get lost - and then you are totally and completely kebabed.

You can see this on the Keepass password manager forums where someone has elected to have an extra layer of security by storing a key file on an external USB stick to complement the password. - all standard two factor stuff.
Then they 'loose' the keyfile and then wail to the forum about how they are now going to get access to their data/passwords
They cannot is the answer.

S0litaire

ChiefGrasscutter wrote: »

All these secondary key type with some special file on them dongle thingy's suffer from the same weak spot.
They will, sooner or later, either break down/fail or will get lost - and then you are totally and completely kebabed.

You can see this on the Keepass password manager forums where someone has elected to have an extra layer of security by storing a key file on an external USB stick to complement the password. - all standard two factor stuff.
Then they 'loose' the keyfile and then wail to the forum about how they are now going to get access to their data/passwords
They cannot is the answer.

This is not that type of USB stick, it's a dedicated cryptographic device. Not a standard flash storage device. It's virtually impossible to accidentally delete the passwords or second factor authentication code in the yubikey.