U.S. Gov't To Use Full Disk Encryption On All Computers 371
To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements."
Re:Why Full-Disk?? (Score:3, Informative)
Because software frequently puts sensitive data in files outside your home directory.
Are they just concentrating on a Windows-only solution that will lock out OS X and Linux??
Linux supports full disk encryption. If OS X doesn't, well, it should, since home-directory-only encryption is not particularly secure.
List as Text (Score:1, Informative)
AT&T
AT&T Government Solutions
Betis Group, Inc.
CDWG
CipherOptics Corporation
CREDANT Technologies
David E. Sherrill & Associates
Decru, Inc.
Dell Inc.
Encryption Solutions, Inc.
EWA
General Dynamics
Green Hills
GuardianEdge Technologies
Halliburton Data Security
Harris Corporation
I.D. Rank
immixGroup
infoLock Technologies
Information Security Corporation (ISC)
Ingrian Networks, Inc.
Intelligent Decisions, Inc.
Kanguru Solutions
L-3 Communications
Liquid Machines
Mary Fuller & Associates, LLC
McAfee, Inc.
Meganet Corporation
Merlin International, Inc.
Microsoft Corporation
MITA Group
Mobile Armor
NetApp
Onix Networking Corp.
Plans, Programs & Policy (P3) Consulting LLC.
PointSec Mobile Technologies
Progeny Systems Corporation
Rocky Mountain Ram
SafeNet
SCO
Seagate Technology
SolCent Corporation\
Sprint Nextel
SPYRUS, Inc
Sybase, Inc.
TECHSOFT, Inc
Telos,
Trust Digital,
ViaSat
Vormetric, Inc.
Wave Systems Corp,
Zelinger Associates, Inc.
Re:Why Full-Disk?? (Score:3, Informative)
From the requirements:
Truth be told, this doesn't really say that much ... 'It is important if you support multiple' - what does that mean?
NOT US Government (Score:1, Informative)
US Air Force
Agency: Department of the Air Force
Office: Air Force Materiel Command
Location: ESC - Electronic Systems Center
Re:Don't lose your pass-key (Score:5, Informative)
The Air Force currently requires ( in addition to the use of a "Smart Card" plugged into the machine to gain access ) a 15 char password consisting of 3 caps, 3 lower, 3 numbers, and 3 special char ( the rest is up to the user ), no proper names, dictionary words, more than 3 letters or numbers in sequence ( back or forward ), must not be the same or simular to your last 25 passwords, and you must change it every 90 days.
The net result is that most people are writing it down and storing it in some easy to access place. Previously, we had an 8 char pass that required 2 caps, 2 lower, 2 special, 2 numbers... It was short enough that you could actually remember it.
We've been doing this for 5+ years now (Score:5, Informative)
At that time we found just 5 vendors who were qualified to deliver (after an initial pre-qualification round), and we invited them all to a specially setup testing lab: Of these 5 vendors, 3 were selling pure snake oil (encrypt the partition table and/or root directory only), it took less than 5 minutes to break into each of these.
Nr 4 seemed a lot better, but after 20 minutes work I found the crucial 'compare password, JE decrypt' sequence in the driver, and we were in.
Only the final entry (from a german company) had understood how you design a product like this:
First you encrypt, using your preferred symmetric key algorithm (AES-256 these days?), all sectors on the disk. You use some form of hash of the logical sector number as a salt when encrypting, this makes each block unique, even those that contain the same 'FDFDFDFD' freshly formatted pattern. The key you use for this is the master disk key, it is a random number generated during installation.
Next you make a small table, with room for at least two entries: User and admin.
The user entry can be modified as often as you like (we default to slightly less than once/month), while the admin key/password is constant, but unique to this particular PC.
Each password (user/admin) is used as the key when encrypting the master key, which means that there is no way, even for the crypto architect, to recover the master key without knowing at least one of these passwords. (The passwords are never stored anywhere on the disk of course!)
The admin key/password is saved both as a printout and on disk on a secure system (without any form of network connection), so that you can use it each time a user manages to forget his/her user disk password.
There are lots of nice to have features as well, one of the more important is the ability to use a challenge/response setup to safely regenerate a user password remotely, without ever having to transmit the relevant admin key. This does require some kind of side channel to verify the identity of the user who owns the particular laptop: We use a combination of RSA's SecureID cards and the user's cell phone for this (each user has such a card to be able to use the corporate VPN connection which requires strong authentication).
Terje
Re:Eh. (Score:3, Informative)
Because not every government employee has access to high bandwidth connections, especially if they are stationed outside the US. Disconnected operation is essential.
Re:This is a no brainer!!! Try these: (Score:3, Informative)
loss of speed.
http://www.freeotfe.org/docs/index.htm
Re:But why? (Score:5, Informative)
And, you'd be the first one to cry to the f*&king heavens as soon as the Government let YOUR secrets out in the open. Or when a government, controlled by a political party other than your chosen favorite, screwed up in a major way when Intelligence is released into the wild.
Find a government on the planet that does as you desire, I'll show you mythology. Only those seeking the downfall of a political system, or governing body require that body to release all its secrets. When that body is your government, then you meet the definition of "Traitor".
Whether controlled by Republicans, Democrats, Libertarians (mythological political party), The Raving Loons of Parump, the government must keep secrets and protect select information from release until such a time that its release is no longer a harm to the citizens and country.
Re:Why Full-Disk?? (Score:3, Informative)
However as other contributors rightly pointed out,
Re:Eh. (Score:5, Informative)
It's not 'dragging this stuff home', it's people who go out in the field to do their job - One simple example is FEMA. When they go to a disaster they take along thousands of laptops in order to register people who need aid. There isn't a LAN they can "SSH into" and they can't phone this stuff in. Another example might be the IRS who would visit individuals and businesses to perform audits.... The list goes on.
Re:I predict (Score:1, Informative)
I predict the government will lose more data this way than when storing data unencrypted. And, when they lose it this way, they won't be able to get it back. At least when they lose a stolen laptop and get it back, they usually still get their data.
Anything important that originates from the laptop should already be backed up, and anything else can be retrieved from another source.
And, stealing laptops isn't how people are trying to steal data from the government... stealing laptops is how people are trying to steal laptops. Those going after government data have better ways to approach it than stealing laptops.
But they still get the sensitive data when they steal the laptops. This isn't aimed at stopping enemy agents, it is aimed at accidental loss of sensitive data, which can be just as damaging and even more embarrassing.
Re:But if users don't run as Administrators (Score:1, Informative)
Wrong. Swap,
And I don't know of any Linux app that puts stuff outside home...
That's merely a testament to your ignorance.
and only a few Macs app do
The Mac is no different in that regard from UNIX.
(and none should)
They don't have a choice; it's part of normal operations. It happens even if they don't explicitly open any files themselves.
Re:Don't lose your pass-key (Score:3, Informative)
Then you have decent physical security as well. Don't get me wrong, it's not perfect but it is still very effective.
Re:unpopular data/facts, not "personal data" (Score:4, Informative)
Re:start your own company (Score:4, Informative)