TrueCrypt

The place for all kinds of software for all kinds of operating systems.

Moderator: Dposcorp

TrueCrypt

Postposted on Mon May 07, 2012 7:54 am

My organization is going to start forcing all employees who use personal machines at work to have them encrypted. I'm dreading the day this happens but it seems like the option for them is using Truecrypt. I was just wondering on all of your experiences with the software and possible issues you have come upon. I'm also trying to find a possible silent installer that has a predetermined configuration setup for the users that are easily confused by technology.
Intel I7-2600k, Asus P8P67, 16GB DDR3 1600mhz, Geforce GTX 780, ASUS Xonar D2, Samsung Evo 250GB, Western Digital Black 1TB, Corsair HX750w
Omniman
Gerbil First Class
 
Posts: 197
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

Re: TrueCrypt

Postposted on Mon May 07, 2012 8:17 am

Full-disk encryption seems to work OK & does best when you're not multi-booting between operating systems. You'll also get best performance if your CPU supports the AES instructions, and I'd go with the default AES algorithm instead of the others, and /especially/ not bother with ganging crypto algorithms together. Which hash algorithm probably doesn't matter.

See various guides on the Net about picking a good password. I think Truecrypt prefers getting a longer one, IIRC at least ~24 characters, but it will accept shorter ones with a warning.

For average users, you might see if policy will allow them to simply store all work-related documents inside a Truecrypt container instead of encrypting the entire hard drive, and specify settings to auto-dismount the container on certain events. That way they won't lose everything if they forget the password, or possibly the policy could be to not bother with encryption and that they must leave all work-related documents on a company-provided fileshare. That may not help with temp files &c, though.

My personal preference, given a choice between forcing users to whole-disk encrypt their personal machines and outright banning the things would be to ban. Lot less trouble unless your organization is too poor to provide everyone a decent machine.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3189
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TrueCrypt

Postposted on Mon May 07, 2012 8:31 am

Good to know! Unfortunately, even though lots of users have both a desktop and laptop here they will bring in a personal machine. They then get angry as to why our software isn't working properly on the personal machine. Just fun times all around.
Intel I7-2600k, Asus P8P67, 16GB DDR3 1600mhz, Geforce GTX 780, ASUS Xonar D2, Samsung Evo 250GB, Western Digital Black 1TB, Corsair HX750w
Omniman
Gerbil First Class
 
Posts: 197
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

Re: TrueCrypt

Postposted on Mon May 07, 2012 8:38 am

Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.
Think for yourself, schmuck!
i5-2500K@4.3|Asus P8P67-LE|8GB DDR3-1600|Powercolor R7850 2G|1.5TB 7200.11|1988 Model M|Saitek X-45 & P880|Logitech MX 518|Dell 2209WA|Sennheiser PC151|Asus Xonar DX
bthylafh
Grand Gerbil Poohbah
 
Posts: 3189
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TrueCrypt

Postposted on Mon May 07, 2012 9:10 am

bthylafh wrote:Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.


Sadly, it's one of the vice presidents who is just trying to make the organization (Hospital) look good. They don't really know what is going on and is actually retiring a few weeks after the policy goes into place.
Intel I7-2600k, Asus P8P67, 16GB DDR3 1600mhz, Geforce GTX 780, ASUS Xonar D2, Samsung Evo 250GB, Western Digital Black 1TB, Corsair HX750w
Omniman
Gerbil First Class
 
Posts: 197
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

Re: TrueCrypt

Postposted on Mon May 07, 2012 10:09 am

We use these: https://www.ironkey.com/

For TrueCrypt, you'll probably have to have the laptop for a day or two depending on what you go with--full disk or just a container. We're doing up our laptops with this now.

We looked at other products like the one Sophos makes but they all seem to require connection to AD and get their policies managed that way. TrueCrypt was free and didn't have that AD link as a requirement and since we wanted our laptops OFF the internal network entirely, that was a non-starter for us. Since these are personal devices, I'm sure it's pretty much the same scenario for you.

Too bad you can't come up with a feasibility study and show all the negatives to the VP and whoever else has to approve organization-wide IT policies. Hell, offer to show him first-hand with his own laptop.

Also, maybe you can delay it until after he retires and then let the new person make the decision. You know, "still getting quotes from vendors... ran into some compatibility issues, looking into that... waiting for replies from vendor support..."
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: TrueCrypt

Postposted on Mon May 07, 2012 11:40 am

Omniman wrote:
bthylafh wrote:Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.


Sadly, it's one of the vice presidents who is just trying to make the organization (Hospital) look good. They don't really know what is going on and is actually retiring a few weeks after the policy goes into place.


Oh good god, doctors. That explains so much.

Scrotos wrote:Also, maybe you can delay it until after he retires and then let the new person make the decision. You know, "still getting quotes from vendors... ran into some compatibility issues, looking into that... waiting for replies from vendor support..."


Sandbagging would be the first trick I would pull out of my bag since the VP is retiring. The new VP may scrap all this anyway.
Flatland_Spider
Gerbil Elite
 
Posts: 852
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: TrueCrypt

Postposted on Mon May 07, 2012 12:37 pm

Omniman wrote:They then get angry as to why our software isn't working properly on the personal machine.


Honestly, isn't this just a giant HIPPA (or whatever health-related privacy legislation) violation waiting to happen? Any and all personal devices that are interfacing with hospital-specific software should probably be banned. Banks get audited yearly and information security is one of the things that gets looked at. Are hospitals the same? Or do they have no government (state or federal) oversight on securing confidential patient data?
Scrotos
Graphmaster Gerbil
 
Posts: 1035
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: TrueCrypt

Postposted on Mon May 07, 2012 3:51 pm

I've used full-disk encryption on laptops at work, and it works quite well. Even though our machines weren't super fast, encrypting the whole drive didn't seem to affect performance. We did go with AES only to lighten the cpu load though.

I suspect any computer with dual cores or more will work without any perceptible performance hit, since even our slower machines could encrypt at ~90 MB/s, which is much faster than most laptop drives (excepting pure sequential reads).

The "slower" machines in question were ~1.7 Ghz pentium dual-core.
Jason181
Gerbil First Class
Silver subscriber
 
 
Posts: 182
Joined: Thu May 19, 2005 7:23 pm
Location: Oregon


Return to General Software

Who is online

Users browsing this forum: No registered users and 3 guests

cron