Laptop encryption software

isofa

Lots of good suggestions, and I agree with superscaper you'll need to ensure things are certified to the level you need.

What OS are you using?

If you are using W2K, Windows XP Pro etc, you can secure files and folders using standard NT security, which unless you have the login password to the account (and obviously this needs to be made secure and with a network policy), none of the files will be readable. Your network manager can invoke all these if you are on a domain.

However no doubt for stronger security you'll need to invoke some third party software.

Some laptops have a TPM chip, and others also a fingerprint reader which can enhance security and encrypt everything on the fly, others use a unique USB key, and without this attached, the laptop is effectively useless, and all the drive contents unreadable, lots of options.

For ad-hoc files or a secure small parition, TrueCrypt is excellent as a freebie, has some very strong security options.

Graham_Devon

It's NHS, we don't have a security bloke, lol. We do have 10 steering groups though, which is nice. Whatever they do!

The IT bloke for our area (head of IT) said it's up to us, they don't supply it.

So it's down to me. Will have a look into all the good suggestions later.

I am the network bloke in this case. Used to support surgeries with all this kinda stuff, but then the NHS took over so I'm not up to speed with it, as I'm more finance based now.

It's Windows XP but basic folder permissions won't work. As long as we have that document that we can pull out saying its got accrediation so and so, we'll be covered if it gets stolen or lost whilst off the premises.

A surgery recently lost a laptop with all patients data on it. It wasn't really accesible, but they got into a mass of trouble, and it cost them a lot of money, had to apologise to each patient personally and call public meetings etc.

Not like the person who got it would be able to get into the system anyway, as the patient database would have been secure, but that was a big thing when that was lost.

isofa

I guess another option would be to lock all laptops down completely, with no data stored directly on the machine (locked off USB and CDRs too), then have remote access to domains and servers using WTS or Citrix, via a secure VPN tunnel from home users broadband or mobile network cards, logging in using a secure ID keyfob (such as an RSA keyfob) which generates random codes for login every few seconds, synced with the remote login server. A large government client of mine uses these for all remote access on laptops, but they don't 100% lock down their laptops as users need some flexibility, I don't deal with it directly, that's the network bods.

Graham_Devon

Isofa, would be way more expensive, and no telephone lines half the time.

Plus theres the NHS.net firewall to get through, which would be an absolute nightmare from various locations.

bookduck

I too work for the NHS and we use Becrypt on laptops. I use Truecrypt. If finances were no object I'd use PGP whole disk.

From Becrypt's web page "The government versions of DISK Protect and PDA Protect have been specifically designed to meet the requirements of the UK Government's Information Assurance (IA) arm of GCHQ, the Communication Electronic Security Group (CESG). BeCrypt products have been certified under the CESG Approved Product Scheme" - wonder if this means there is a back door?

superscaper

bookduck wrote: »

- wonder if this means there is a back door?

That's why Truecrypt is a good idea when it's for yourself. The advantage of it being opensource is that there isn't any possibility of a backdoor. But the MOD approved commercial stuff, it wouldn't surprise me in the least if there was.

sra

This won't help the OP who needs government certification, but just to point out a little known feature of TrueCrypt that makes it suitable for use within organizations.

There is the ability within Truecrypt to 'Backup Volume Header'
If you do this and then change the volume password, later you could if you wanted 'Restore Volume Header' to put back the original header and the original password would work..

What this means is that someone senior could put Truecrypt on a system, backup the headers to somewhere safe (in another Truecrypt volume perhaps?)

Then the regular user could change the password to anything they like and then if they do something silly like forget their password, or if the manager required access, the original header could be restored to decrypt the file.

So there's a way for management to get access to files (Which may be an absolute requirement in an organsation) without there being a backdoor as such.

It's a very well thought out little program.

amcluesent

>But the MOD approved commercial stuff, it wouldn't surprise me in the least if there was<

IIRC, for approved crypto CESG actually supply the keys to be loaded into the device, so there's no need for a 'back door'

peter999

Memory trick breaks PC encryption
http://news.bbc.co.uk/1/hi/technology/7275407.stm

Encrypted information held on a laptop is more vulnerable than previously thought, US research has shown.

Scientists have shown that it is possible to recover the key that unscrambles data from a PC's memory.

peter999

superscaper

peter999 wrote: »

Memory trick breaks PC encryption
http://news.bbc.co.uk/1/hi/technology/7275407.stm

Encrypted information held on a laptop is more vulnerable than previously thought, US research has shown.

Scientists have shown that it is possible to recover the key that unscrambles data from a PC's memory.

peter999

Just remember to switch your laptop off. I think it'd be an extreme set of circumstances that'd allow a full computer forensic team access to the RAM of your PC or laptop within a couple of minutes of you personally switching it off.