Summary
TrueCrypt is a highly regarded, free, file system encryption solution that can be used on Microsoft Windows, or Linux operating systems. The documentation that comes with it is excellent , so please refer to it in order to become familiar with the terminology and basics use (e.g. creating file-based “containers”) of TrueCrypt.
I’m going to document how an administrator might deploy TrueCrypt within their organization to protect information residing on the hard drives of employees’ laptop and/or desktop computers. The primary feature covered here is the ability of an administrator to maintain (escrow) a master key that could be used if recovery of the encrypted information becomes necessary and the employee/information holder is not available. I believe that these procedures would be one way of supporting the information protection policy of a corporation.
Basic Idea
Prior to issuing a computer, laptop or otherwise, to an employee the administrator should use TrueCrypt to create a container on that device where the employee is expected to place information considered sensitive to the company and/or the company’s clients. This protects the confidentiality of this particular information if the hard drive were to fall into unauthorized hands when the computer is powered off or the container is not mounted. TrueCrypt is an excellent choice for this, but what happens if the employee gets hit by a bus, or forgets their TrueCrypt password?
The password and/or key file used during the creation of this container mentioned above will be the master key that should be held in escrow (with the volume header; mentioned later). Make sure that you are able to mount, and subsequently unmount the container using the master key before continuing.
With the container unmounted, and TrueCrypt still running, select the file used as the encrypted container. With this file selected you should click on Volume Tools. You will now want to Backup Volume Header. The volume header is what makes restoring this container using the master key possible. Therefore you will want protect this along with the master key (password and/or key file). I’ll suggest writing the volume header to some form of removable media.
Now that the volume header has been secured, within Volume Tools you can select Change Volume Password. Change the volume password to the password that you will give to the new user of the computer (container). Instruct the user to change the volume password to a password of their choosing. They should also backup the volume header after changing their volume password.
If the time comes when the administrator needs to recover the information encrypted in the container, they will need to start TrueCrypt, select the file used as the container, and select Restore Volume Header under Volume Tools. Once the original volume header is restored the master key will unlock the encrypted container.
Additional Thoughts
Getting the user to place the organizations sensitive information in the container, or alternatively a device (encrypted disk partition) may be easier said than done. It should be made clear to the computer user that they are responsible for safeguarding of the information residing on that computer, and using the file system encryption offered through TrueCrypt is a tool to help do this.
You will want to make the encrypted volume quite large; accommodating file system growth. You cannot resize the volume after it has been created.
The use of device-based versus file-based encrypted volumes supposedly offers better performance.
Once a volume is mounted, anyone logged on to that computer can see the contents of the volume.
Tuesday, April 17, 2007
Subscribe to:
Comments (Atom)