This story has become all too familiar: a mid-level employee leaves the office with a pile of private data on his or her laptop, and then the computer is lost or stolen. Employee loses job, employer is humiliated, customers are angry. It’s become obvious that computing support pros and system admins should be doing everything they can to protect proprietary data and protect our colleagues from doing stupid things with it. When media pundits started recommending drive-level encryption though, I literally groaned aloud.
Sure, there are some environments where security must be priority number one. I’d certainly be ticked off if my government or my insurance company let my personal info out into the wild through negligence. But from my position as a computing support pro, I think drive-level encryption is a pain. I might be able to test the hardware by booting from an alternate source or from an administrator account, but drive-level encryption means that there’s almost no software testing that I can do from within the owner’s profile without asking the owner to breach the security in place. I also worry about the password-management crises that could arise from widespread use of disk encryption. Ask any helpdesk tech how often passwords have to be reset because they have been forgotten. A forgotten password means lost data on an encrypted computer.
I think whole-disk encryption is overkill for most environments and users; who really needs their Programs folder encrypted, anyway? Even those tools that allow users to encrypt their entire home directory are probably more than most people need. Why make it more difficult for a support tech to troubleshoot your profile or recover your files for you?
My preferred solution is to use encrypted disk images to store only the sensitive information, and then leave everything else in the clear. That way, private data is protected, and the security is managed separately from the users account credentials. Best of all, the OS and user profile remain unencrypted, so I can easily service them when that’s required.
My favorite tool for creating secure disk images is TrueCrypt, an open-source encryption utility that’s implemented for Windows, Mac OS, and Linux. TrueCrypt is free and will let you encrypt a portion of the files on your storage device, or even the whole darn thing if that’s your preference. One reason I’m a real fan of TrueCrypt is that its encryption is interoperable across platforms. A Linux TrueCrypt installation can decrypt a Windows disk that was encrypted with the Windows build of TrueCrypt. For a support guy like me, finding one program that works on all the machines I manage, regardless of platform, is better for my users in the long run.
What about you? Are you convinced that whole-drive encryption is the only way to be safe? What’s your tool of choice for managing your disk encryption? Have you faced any support issues on the heels of this security policy? Let me hear about it in the comments.