Personal computing discussed

Moderators: renee, Dposcorp

 
Omniman
Gerbil XP
Topic Author
Posts: 316
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

TrueCrypt

Mon May 07, 2012 7:54 am

My organization is going to start forcing all employees who use personal machines at work to have them encrypted. I'm dreading the day this happens but it seems like the option for them is using Truecrypt. I was just wondering on all of your experiences with the software and possible issues you have come upon. I'm also trying to find a possible silent installer that has a predetermined configuration setup for the users that are easily confused by technology.
Intel i7-7700, MSI Trident, 32GB DDR4 2133mhz, Geforce 1060GTX, and Samsung Evo 1TB.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TrueCrypt

Mon May 07, 2012 8:17 am

Full-disk encryption seems to work OK & does best when you're not multi-booting between operating systems. You'll also get best performance if your CPU supports the AES instructions, and I'd go with the default AES algorithm instead of the others, and /especially/ not bother with ganging crypto algorithms together. Which hash algorithm probably doesn't matter.

See various guides on the Net about picking a good password. I think Truecrypt prefers getting a longer one, IIRC at least ~24 characters, but it will accept shorter ones with a warning.

For average users, you might see if policy will allow them to simply store all work-related documents inside a Truecrypt container instead of encrypting the entire hard drive, and specify settings to auto-dismount the container on certain events. That way they won't lose everything if they forget the password, or possibly the policy could be to not bother with encryption and that they must leave all work-related documents on a company-provided fileshare. That may not help with temp files &c, though.

My personal preference, given a choice between forcing users to whole-disk encrypt their personal machines and outright banning the things would be to ban. Lot less trouble unless your organization is too poor to provide everyone a decent machine.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Omniman
Gerbil XP
Topic Author
Posts: 316
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

Re: TrueCrypt

Mon May 07, 2012 8:31 am

Good to know! Unfortunately, even though lots of users have both a desktop and laptop here they will bring in a personal machine. They then get angry as to why our software isn't working properly on the personal machine. Just fun times all around.
Intel i7-7700, MSI Trident, 32GB DDR4 2133mhz, Geforce 1060GTX, and Samsung Evo 1TB.
 
bthylafh
Maximum Gerbil
Posts: 4320
Joined: Mon Dec 29, 2003 11:55 pm
Location: Southwest Missouri, USA

Re: TrueCrypt

Mon May 07, 2012 8:38 am

Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.
Hakkaa päälle!
i7-8700K|Asus Z-370 Pro|32GB DDR4|Asus Radeon RX-580|Samsung 960 EVO 1TB|1988 Model M||Logitech MX 518 & F310|Samsung C24FG70|Dell 2209WA|ATH-M50x
 
Omniman
Gerbil XP
Topic Author
Posts: 316
Joined: Sat Dec 13, 2008 1:24 am
Location: White River Junction, Vermont

Re: TrueCrypt

Mon May 07, 2012 9:10 am

bthylafh wrote:
Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.


Sadly, it's one of the vice presidents who is just trying to make the organization (Hospital) look good. They don't really know what is going on and is actually retiring a few weeks after the policy goes into place.
Intel i7-7700, MSI Trident, 32GB DDR4 2133mhz, Geforce 1060GTX, and Samsung Evo 1TB.
 
Scrotos
Graphmaster Gerbil
Posts: 1109
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: TrueCrypt

Mon May 07, 2012 10:09 am

We use these: https://www.ironkey.com/

For TrueCrypt, you'll probably have to have the laptop for a day or two depending on what you go with--full disk or just a container. We're doing up our laptops with this now.

We looked at other products like the one Sophos makes but they all seem to require connection to AD and get their policies managed that way. TrueCrypt was free and didn't have that AD link as a requirement and since we wanted our laptops OFF the internal network entirely, that was a non-starter for us. Since these are personal devices, I'm sure it's pretty much the same scenario for you.

Too bad you can't come up with a feasibility study and show all the negatives to the VP and whoever else has to approve organization-wide IT policies. Hell, offer to show him first-hand with his own laptop.

Also, maybe you can delay it until after he retires and then let the new person make the decision. You know, "still getting quotes from vendors... ran into some compatibility issues, looking into that... waiting for replies from vendor support..."
 
Flatland_Spider
Graphmaster Gerbil
Posts: 1324
Joined: Mon Sep 13, 2004 8:33 pm

Re: TrueCrypt

Mon May 07, 2012 11:40 am

Omniman wrote:
bthylafh wrote:
Sounds to me like you need to lobby your boss to make a policy change. There's no reason to waste your time supporting someone's personal box, unless <realpolitik>they outrank you</realpolitik>, but if your boss has enough pull that can be ended as well.


Sadly, it's one of the vice presidents who is just trying to make the organization (Hospital) look good. They don't really know what is going on and is actually retiring a few weeks after the policy goes into place.


Oh good god, doctors. That explains so much.

Scrotos wrote:
Also, maybe you can delay it until after he retires and then let the new person make the decision. You know, "still getting quotes from vendors... ran into some compatibility issues, looking into that... waiting for replies from vendor support..."


Sandbagging would be the first trick I would pull out of my bag since the VP is retiring. The new VP may scrap all this anyway.
 
Scrotos
Graphmaster Gerbil
Posts: 1109
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: TrueCrypt

Mon May 07, 2012 12:37 pm

Omniman wrote:
They then get angry as to why our software isn't working properly on the personal machine.


Honestly, isn't this just a giant HIPPA (or whatever health-related privacy legislation) violation waiting to happen? Any and all personal devices that are interfacing with hospital-specific software should probably be banned. Banks get audited yearly and information security is one of the things that gets looked at. Are hospitals the same? Or do they have no government (state or federal) oversight on securing confidential patient data?
 
Jason181
Gerbil First Class
Posts: 186
Joined: Thu May 19, 2005 7:23 pm
Location: Oregon

Re: TrueCrypt

Mon May 07, 2012 3:51 pm

I've used full-disk encryption on laptops at work, and it works quite well. Even though our machines weren't super fast, encrypting the whole drive didn't seem to affect performance. We did go with AES only to lighten the cpu load though.

I suspect any computer with dual cores or more will work without any perceptible performance hit, since even our slower machines could encrypt at ~90 MB/s, which is much faster than most laptop drives (excepting pure sequential reads).

The "slower" machines in question were ~1.7 Ghz pentium dual-core.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On