Notifications
Clear all
Topic starter
Greetings
I am wondering if anyone has given consideration to hard drive encryption (workstations/laptops/tablets). We had an audit recently and it was recommended due to the fact someone can steal a PC from the office or steal/find a laptop. I have looked at a number of options but I do not want the users (or me) to have to enter a password during boot, before windows is loaded. That would preclude me from doing any after hours maintenance with scripted installations or personally remotely accessing machines after hours if they happened to be powered off and a send a magic packet to wake.
We are using Windows 7 Pro OEM which is/was not eligible for SA/Windows 7 Enterprise. We are currently evaluating McAfee Endpoint but want to see what others are doing in case there is a better idea out there
Mike Zavolas
Tallahassee Neurological Clinic
Posted : September 26, 2013 5:45 am
We use TrueCrypt, which can be downloaded from truecrypt.org. It allows the option of full disk encryption or the creation of an encrypted folder, in which case the decryption password is only entered when the user wants access to the data in that folder. The product free but highly rated by various computer columnists.
Posted : September 26, 2013 11:15 pm
Our university uses the McAfee - which requires a login right after BIOS execution and before Windows. Adds processing overhead but gives you centralized management. If the laptop isn't connected to the network in x number of days, you can't log into the encryption and the computer has to be administratively reset. This may be an optional setting, I don't know for sure. We have had some growing pains with it but it seems to work well now. You can have more than one person set for the encryption on a device, but I think there is a practical limit, i.e. you can't have everyone able to log into the encryption on every device but you could have admin staff able to log into all of them along with the user assigned to each device.
Posted : September 27, 2013 12:02 am
We use TrueCrypt to encrypt the entire hard drive. It uses a USB fob in combination with a password after BIOS. We were worried that users would have a problem remembering to connect the fob, but that was never really an issue. The worst part was the time to took for the initial encryption (many hours). Overall, it's been a very positive experience.
Posted : September 27, 2013 12:26 am
Topic starter
What purpose does the fob serve if you still need a password? Does the password need to be at least 16 characters?
I am going to have a tough sell on this as it is but I would need to hire more staff to work a night shift if I couldn't use my WOL at night for updates and scripts
Mike Zavolas
Tallahassee Neurological Clinic
Posted : September 27, 2013 1:17 am
But as I said, you don't have to encrypt the entire drive with TrueCrypt; you have the option to encrypt just a portion, in which case you don't have WOL concerns. Your only concern then is whether or not users are responsible enough to store ePHI only in the encrypted portion.
Posted : September 27, 2013 1:30 am
Our University changed it's policy so that ALL portable devices used for University business (not just HIPAA related) must be encrypted. They are taking any chances with a missing laptop or flash drive causing a multi-million dollar fine for a HIPAA breach.
Posted : September 27, 2013 1:43 am
tnc said:
What purpose does the fob serve if you still need a password? Does the password need to be at least 16 characters?
The fob provides another layer of security. It contains a second password that is fed into the laptop when a button is pressed. If someone knows your password, he/she would still need the fob physically plugged into the USB port in order to decrypt the drive. To my knowledge, the password does not have to be 16 characters.
Posted : September 27, 2013 3:22 am
Topic starter
Mitch Kwiatkowski said:
tnc said:
What purpose does the fob serve if you still need a password? Does the password need to be at least 16 characters?
The fob provides another layer of security. It contains a second password that is fed into the laptop when a button is pressed. If someone knows your password, he/she would still need the fob physically plugged into the USB port in order to decrypt the drive. To my knowledge, the password does not have to be 16 characters.
I think if you wanted AES 256 bit encryption it would need a 16 digit password for the hash. That's where I came up with that number. If you only wanted 128 bit then an 8 digit password would suffice.
Thanks for the fob clarification. I like the concept but I would expect it to be plugged in all the time out of convenience. Can you configure it to use a fob without a password?
Mike
Posted : October 1, 2013 4:07 am
