Unfortunately this came up again with our annual SRA a week ago and there is no easy answer. I was told that we should encrypt our servers as well. I don't necessarily agree since all of our servers are virtual and we have a SAN, which is locked/secured in our Data Center. It would not be likely to have someone come in and steal a hard drive or hard drives and get anything useful from them.
On to your questions (hoping some others will provide feedback)
1) The software you are using (TruCrypt, Mcafee, Symantec, etc)
We tried McAffee but settled on TruCrypt but it is now discontinued. Trucrypt and McAffee both require a password be typed in at boot time. McAffee has a cached password mode but was not secure at all. It was possible to break in within 10 minutes. DiskCryptor will likely be my Trucrypt replacement as the project matures.
https://diskcryptor.net/wiki/Main_Page
I think Bitlocker would be best but with the highest cost to the organization. It would integrate Active Directory. You can not buy OEM Windows Enterprise so we would be buying a windows license twice for each machine unless you build your own machines. It kills any hope of doing this in a cost effective manner. Maybe there is hope for Windows 9 upgrades if the start menu is really back this time and it is cheap for businesses (I fear that businesses will likely pay a lot more than $20/each per seat)
2) Is there a significant slowness exhibited with the encryption process while an end user is using the machine?
None that I noticed in my testing with Bitlocker, Trucrypt or McAffee. Intel i5 and i7 processors (among others) have built in hardware cryptography extensions which do parallel processing for this purpose.
https://en.wikipedia.org/wiki/AES_instruction_set
3) Centralized password management (tied in with Active Dirctory)
As far as I know, Bitlocker is the only one which will do this. McAffee will cache the password but it is available to be hacked in to very easily.
4) Is it easy to deploy?
Bitlocker is easiest to deploy with Group Policy. McAfee/TruCrypt are installed individually and harder to manage. We have already had to rebuild more than one laptop with forgotten password.
5) Does it automatically encrypt removable media, such as CD-Rs, USB Memory sticks, external HDD's etc?
I don't really have an answer to this one. The word "automatically" is throwing me a curve. I know you can do it, but it is not without an additional step in TruCrypt. Did not try McAffee or Bitlocker.
6) Was the cost reasonable?
TruCrypt was free
7) Would you buy it again?
I would buy Windows 7 Enterprise/Ultimate with every new computer if it was reasonable. Currently it is not.
McAffee does not give you any more than what TruCrypt does so it is not worth it.
Mike Zavolas
Tallahassee Neurological Clinic
Posted : September 29, 2014 4:26 am