The Information Secure Office (ISO) has approved several methods of complying with policy for encrypting sensitive data on laptops. The preferred method of accomplishing this is using WinMagic SecureDoc, the enterprise whole disk encryption product available through ITS.
The ISO strongly believes that the following features are important in an encryption product:
- Industry-standard, well-tested encryption algorithms.
- Encryption key escrow/recovery in case the keys are lost, forgotten, or otherwise unavailable to a department.
- Support for multiple platforms, especially Windows and Mac (both of which currently make up the majority of portable devices on campus).
- The ability to demonstrate the device was encrypted in the event it is lost or stolen, in order to better comply with the Texas Identity Theft Protection and Enforcement Act and other related laws.
SecureDoc best satisfies all of these requirements. There may, however, be cases where it is not possible to use SecureDoc. In such instances, end-users, in consultation with their local IT support staff, can choose from another approved product in Table 1. For products that do not support their own method of escrow/recovery, the ISO recommends the use of Stache.
If you have questions about these products, or satisfying policy, please do not hesitate to contact the ISO at security@utexas.edu.
Table 1: Approved Encryption Methods
Encryption Technology |
Escrow Method |
Operating System(s) Supported |
Whole-Disk Encryption? |
Cost |
More Information |
|---|---|---|---|---|---|
WinMagic SecureDoc |
SecureDoc Enterprise Server |
Windows / Mac / Linux |
Yes |
None |
|
Microsoft Bitlocker |
Active Directory (in some cases), Stache |
Windows Vista / Windows 7 |
Yes |
None |
http://technet.microsoft.com/en-us/library/dd548341%28WS.10%29.aspx |
Apple FileVault (1) |
Stache |
Mac |
No |
None |
http://docs.info.apple.com/article.html?path=Mac/10.6/en/8727.html |
Linux Unified Key Setup (LUKS) Encryption |
Stache |
Redhat Enterprise 6 |
Yes |
None |
|
TrueCrypt (2) |
Stache |
Windows 7/Vista/XP, Mac OS X, and Linux |
Windows only |
Open-Source |
|
Self-Encrypting Drive (SED) (3) |
SecureDoc Enterprise Server, Stache |
Windows / Mac / Linux |
Yes |
Depends on size, storage technology, and vendor. |
The SED chosen must be compliant with the OPAL specification. Check with the vendor to ensure compliance. |
(1) FileVault can only encrypt a user's home directory or selected disk images; it does not encrypt the operating system partition and is therefore not considered whole disk encryption. Because of this, FileVault is only an acceptable encryption method in the limited situations where SecureDoc (or another whole disk encryption solution) is not feasible (e.g. Boot Camp users).
(2) TrueCrypt can only encrypt the operating system partition on Windows systems; the Mac and Linux versions of TrueCrypt do not support this feature. TrueCrypt, by itself, is only an acceptable encryption method for Mac and Linux in cases where another whole disk encryption product (e.g. SecureDoc, LUKS, etc.) is not feasible. For Mac BootCamp users, TrueCrypt may be used to encrypt the Windows partition.
(3) Self-Encrypting Drives provide low-latency, hardware-level encryption and are available from a number of manufacturers. In order to ensure minimum standards are met, only SEDs that meet the OPAL specification are approved. Seagate, Hitachi, and Toshiba are a few examples of manufacturers that make OPAL compliant SEDs. Check with your vendor to ensure compliance.
