1 / 10

UWDiskCrypt

UWDiskCrypt. Erick Engelke Director, Engineering Computing erick@uwaterloo.ca January 10, 2010. Need. Policy 8 – Information Security On servers we restrict logical access to data, physical access to hardware – data is relatively safe

holly
Download Presentation

UWDiskCrypt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. UWDiskCrypt Erick Engelke Director, Engineering Computingerick@uwaterloo.caJanuary 10, 2010

  2. Need • Policy 8 – Information Security • On servers we restrict logical access to data, physical access to hardware – data is relatively safe • Laptops (and desktops) often contain restricted information • Using boot CDs, one can easily read information on a stolen laptop • Data deletion at laptop surplus time

  3. Options • Host all data only on servers, like the GAP • Requires highspeed internet access • Readonly is more easily achieved • Read/Write access on Terminal Servers • Hosted Office (like GoogleDocs) would help • Data Encryption on laptops • Safeguard data against stolen or surplused laptops • Bitlocker on some Windows • Commercial, pricey – limited to their features • Open source – TrueCrypt, DiskCryptor • lacks some features

  4. Key Escrow • Key escrow is an arrangement in which keys to decrypt encrypted data are held in escrow • Under certain circumstances, an authorized third party may gain access to those keys • In our case, the laptop ‘owner’ should also be able to recover a forgotten password

  5. BitLocker • Vista and Windows 7 – upper level licenses • Not available on Windows of most laptops • upgrade laptops to Win7 Enterprise, replace existing OS, lose vendor features , driver mess • Key escrow requires laptops join domain first • Key escrow does not appear to work when off-site • Win 7 Ent. uses lots of disk space, bad for NetBooks

  6. TrueCrypt • Open source, free • Supports all recent versions of Windows, Mac, Linux • Good encryption – CIA can’t crack it yet • Options – encrypt disk drive, partition, logical volume, memory stick • GUI is a little messy • No key escrow • Weird licensing restrictions – cannot distribute modified source

  7. DiskCryptor • Open source, free, modifiable • GNU license is very compatible with our needs • Supports all recent versions of Windows but NOT Mac, Linux • Good encryption • Options –partition, CD/DVD, memory stick • GUI is a pretty nice, source is very nice • No key escrow

  8. UWDiskCrypt • Added key escrow to TrueCrypt, DiskCryptor • 32 bit / 64 bit code added to program • Uses IE and SLL to communicate with campus web server • PHP code there stores password in MySQL DB • User can use web to recover own password • Would benefit from PKI • Can be modified for our needs

  9. Risks • Program errors • number of diskcryptor clients reduces this likelihood • BIOS can be problems with any product • Key leakage at server • would reduce security to present levels at worst • Can use public key if we want to remove decrypt key from server • Works with existing clients, but is it futureproof? • Is Anything? We have had a good track record in EngComp • If we decide to switch, decrypt disk, then encrypt with new product, no risk just time spent • Open source lets us upgrade on our timetable, avoid licensing driving us • Free to add functionality or remove annoying “features” • Source is available, expertise exists in the cloud, not just local • Buying Oracle doesn’t mean we can use Win7 or IE8, every vendor is slow

More Related