Encryption

Jack Roberts,PPD, RAL,

STFC

Why?

• Government reaction to high profile data losses.

•STFC General Notices 30th January, 1st February 2008.

“staff are hereby instructed that no unencrypted laptops or drives containing personal data should be taken off STFC

sites” (30th January)

“staff are hereby instructed that no unencrypted laptops or drives containing personal data should be taken off STFC

sites” (30th January)

What is “Personal Data”?

“A. Any information that links one or more identifiable living

person with private information about them.”

“B. Any source of information about 1,000 identifiable individuals or more, other that

information sourced from the public domain.”

“Consequently, all laptops and PDAs need to be encrypted before they can be taken

off site.” (1st February)

“Consequently, all laptops and PDAs need to be encrypted before they can be taken

off site.” (1st February)

What Product?CRITERIA

• CESG approved• FIPS-140

• Full Disk encryption• Need to be able to manage centrally

• Transparent to the user

BUT• No Mac solution

• Only limited Linux support• No dual boot solution

Products used in STFC • BeCrypt

•Pointsec for PC•Pointsec Mobile

Red HatSuSE 9.xRHEL 4

NLD

BeCrypt Pointsec Mobile

• Quick fix

• ~5 installations in PPD/~100 in STFC

• No installation problems

• No central management console.

• Slightly more expensive than Pointsec for PC

• For PDAs

• Not yet used in PPD

• Tested on a few PDAs in STFC, only 1 successful install.

• Newer version being tested.

Pointsec for PC(now renamed as Check Point Full Disk Encryption?)

InstallationMethod

• Initial preparation.

• Installed like a normal application.

• Typically takes around 4 hours.Problems

•Has refused to install on one or two laptops.

•Not compatible with 64-bit Vista.

How Does It Work?

BIOSBIOSPointsec

Authentication Screen

Pointsec Authentication

Screen

OSLoads

OSLoads

User works as normalUser works as normal

Log in to OS User Account

Log in to OS User Account

Single Sign On (SSO)

Enters user’s OS account details automatically.

Recovery

• Management Console

•Central store of recovery files.

•Unlocking user accounts/changing passwords remotely

• Decryption

License Key bug

• Temporary license key expired 21st March (Good Friday......).

• Mad rush on Tuesday 25th to distribute new license key to make sure laptops don’t decrypt.

• Some laptops with the new key start decrypting – eek!

• Why? License key checks at logon that it can contact an IP address, i.e. No Network Connection = Invalid license =

Laptop Decrypts.

Current Status

In PPD: • ~95% Windows Laptops encrypted • ~75% of all Laptops encrypted.

• 0 laptops corrupted.

In STFC: • 724 laptops encrypted (6th June).

• Maybe one or two laptops corrupted.

For the future...• Hope to be able to perform a risk assessment within the organisation.

• Hopeful that a Mac solution will soon be available.

• Start encrypting PDAs.

Any Questions?