Analysis of disk encryption technology to guarantee data security

Trucrypt, PGP, FreeOTFE, BitLocker, DriveCrypt, and 7-zip, these cryptographic programs provide exceptionally reliable real-time encryption to ensure data security, avoid data loss, theft, and snooping.

Few IT pros also need data security training, but we often hear of events like this: Computers or hard drives are stolen or lost, and the data in clear text is stored without encryption.

Thankfully, real-time data encryption is no longer a singular, costly technology. Some encryption programs do not simply encrypt a single file, but can also create a virtual disk inside a file, even directly on a partition, and any data written to the virtual disk is automatically encrypted. In modern hardware, encryption requires minimal overhead, and no dedicated hardware is required to encrypt it.

This article describes the applications for creating and managing encrypted volumes, from Windows Vista's BitLocker encryption program, to the sophisticated PGP Desktop suite for encrypting e-mail and instant messages. You don't even have to spend money to get an exceptionally reliable, well implemented entire disk encryption feature--but in an enterprise environment, like manageability or support services, these features are completely worth the money to buy.

Tools One, TrueCrypt 5.1a

Fee: Free/Open source

URL: [Url]www.truecrypt. [/url]org

TrueCrypt has plenty of reasons to be the first to try out the entire disk or virtual volume encryption solution. In addition to the advantages of free and open source, the program is well-written, Easy-to-use, and rich in data protection, an effective way to encrypt the entire system, including the operating system partition.

TrueCrypt allows you to select Advanced Encryption Standard (AES), Serpent, and Twofish algorithms that can be used alone or in different combinations (called cascading), and can be selected for Whirlpool, SHA-512 and RIPEMD-160 hash algorithms. There are three basic ways to actually encrypt a file: You can install it as a virtual volume, you can turn the entire partition or physical drive into an encrypted volume, and you can encrypt a working Windows operating system volume, but there are some limitations.

An encrypted volume can be protected by a password, and as an option, it can be protected with a key file to enhance security-for example, a file on a removable USB drive so you can create a two-factor authentication. If you create a stand-alone virtual volume, you can use any size or naming convention file. The file is created by the TrueCrypt itself and then formatted to make sure it looks no different from random data.

The purpose of TrueCrypt is that any encrypted volume or hard drive will not be visible at a glance. There is no visible volume header, required file name extension, or other identifying mark. The only exception is the encrypted boot volume, which has a TrueCrypt boot loader--but the future version of the product is unlikely to hide the entire volume, use a USB thumb drive, or an external boot loader on the disc. Speaking of which, you may also be able to create a TrueCrypt USB drive that is used under "Traveler mode"-a copy of the executable file that can be installed and run on any machine as long as the user has administrator privileges.

TrueCrypt also includes the so-called "specious denial" (plausible deniability) feature, the most important thing is to be able to hide a volume inside another volume. A hidden volume has its own password, and you have no way of determining if another volume is hidden inside a truecrypt volume. However, if you write too much data to the volume outside, you may break the hidden volume--but as a protection, TrueCrypt offers an option: You can install the hidden volume as a read-only volume when you install the volume outside.

If you are using System disk encryption, the actual encryption process will take some time, but this process can be paused, need to restore the encryption (you may need to do this at night in the locked room of the PC). This program insists on creating a first aid disc, which can be used to boot a computer in the event of a disaster: You cannot encrypt a Windows system that implements dual booting from a non-Windows boot loader. )

Tools II, Windows Vista BitLocker

Cost: Included in Vista Ultimate and Vista Enterprise Edition

URL: technet.microsoft.com/en-us/windowsvista/aa905065.aspx

Only Vista's enterprise and Ultimate editions have Vista's own BitLocker, designed specifically to perform system volume encryption. It is not intended to be used primarily for encrypting removable volumes or for creating virtual volumes like the other products described in this article. It was developed at the outset to take into account centralized management, through Active Directory and Group Policy to achieve management.

Unlike TrueCrypt system disk encryption, setting up BitLocker requires at least two volumes on the target system: one volume to hold the boot loader, and the other to store the encrypted system files. Existing systems can be partitioned by using the BitLocker Drive Preparation Tool (now Microsoft provides this extra tool for BitLocker-enabled systems), but you can also set up partitions manually if you are working on a system that is not prepared.

When you encrypt a volume with BitLocker, there are three basic choices about how to authorize users to access an encrypted volume. If the computer has a Trusted Computing module (TPM), it can be used in conjunction with the personal identification Number (PIN) code. The second option is to create a removable USB drive that contains authorization data, which is then used in conjunction with a PIN, but only if the corresponding computer is able to boot from a USB connected device. If you decide to use this method, BitLocker will boot the test before the disk is encrypted to make sure the system boots from the USB device. The third option is for users to enter a PIN, but the pin will be fairly long (25 characters or more) and can only be allocated by the operating system.

As with any other entire disk encryption system, the slowest part is actually encrypting the drive, and my 75GB hard drive laptop has been encrypted for about 3.5 hours. Fortunately, BitLocker can perform this task in the background while other work is being processed, or even shut down the system and then restore the encryption process later if needed (my advice is to leave the computer in the locked room for encryption at night). If an administrator needs to access or decrypt a volume, the volume's encryption key can also be saved to the Active Directory repository. If you are not in the Active Directory domain, you can also manually back up the key to the file-of course, the file should be strictly protected.

Finally, although BitLocker initially protects only the operating system volumes, it is possible to manually encrypt a system-free volume using the Vista command-line interface.

Tool three, Dekart Private Disk 1.2

Fee: USD 45 per User

URL: www.dekart.com

While Dekart Private disk functions Like other cryptographic programs, there is, frankly, at least one feature that makes it not worth recommending.

This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/

First of all, Dekart Private disk's functional portfolio is only a bit more useful than the two free/open source products introduced in this article. Users can create virtual volumes, back up the volume headers of encrypted disks, control disk installation and uninstall based on user activity, and so on. The only thing that really matters, and the other products don't, is disk firewall, which you can use to grant or deny certain programs access to the Firewall.

The best indication that private disk has not really considered security at the outset is the "recovery option", which attempts to determine the password for the private disks by recovery brute Force (Brute-force attack) attacks on the password. Any professional encryption product does not have such a function at all. It's like you bought a lock bolt for the front door and found it with a set of pry tools-"Lest you lose your key".

Since the vast majority of private disk's features are available for free elsewhere, it may be difficult to endorse the charging process if other places are better implemented.

Tools IV, DriveCrypt

Fee: € 59.95 per User (USD 88.73)

URL: www.securstar.com

Securestar Company's drivecrypt its main functions are similar to TrueCrypt and the freeotfe--described below you can create an encrypted container from a file or an entire disk, hide one encrypted drive inside another, and so on. As for the more advanced features, such as full disk encryption, you need to add DriveCrypt pluspack (185 USD). As for the extra functional value DriveCrypt offers, it's a matter of opinion, because many people feel that free products have the same functional portfolio.

If you've ever used a similar product before, the standard version of DriveCrypt most of the encryption features will behave as you expected. You can create a virtual encrypted disk in a file or partition, automatically lock the disk after a period of time is not used, and create a hidden disk inside the disk. DriveCrypt also allows you to install disks created by previous versions of the product (ScramDisk and e4m), so if you migrate from one of these two versions to the new version, you won't feel left out.

It has features that are not available for free, including the ability to arbitrarily resize existing encrypted disks and the Administrator key Escrow service (although the latter can be implemented in TrueCrypt and FREEOTFE only by manually backing up the volume headers).

Another feature of DriveCrypt is that you can create a "DKF Access file" that allows a third party to access an encrypted volume without the need for a volume password. The DKF key can be attached to a variety of restrictions-it can use its own password (unrelated to the password on your own disk), expire after x days, or be valid only for a certain period of time. In this way, it is possible to provide some control over access to the encrypted drive.