PGP - Whole Disk Encryption

[REM]

I've been wondering why someone hasn't done this before. It sounds
very interesting and useful in securing notebooks and such. Has anyone
heard of any freeware projects that are working on this:

http://www.pgp.com/downloads/beta/desktop/index.html

"PGP Whole Disk – Coming Soon

PGP Whole Disk protects the entire contents of desktop and laptop
disks, external drives, and USB flash drives using trusted PGP
technology.

PGP Whole Disk adds a full disk encryption product to the PGP product
line, allowing customers to purchase all their email, disk, mobile,
and FTP/batch encryption products from a single vendor. Available for
single desktop to large enterprise deployments, PGP Whole Disk
includes features required by customers large and small.

PGP Whole Disk protects the entire hard disk—including the operating
system, applications, and data files—making it unreadable by anyone
without the proper access credentials. Centralized preconfiguration
lets administrators set and lock policy settings and create a
customized installed. Centralized policy management allows changes and
updates to be automatically distributed via LDAP directories.

PGP Corporation now offers both a volume/file encryption product (PGP
Corporate Disk) and the new PGP Whole Disk product, allowing customers
to mix-and-match disk encryption solutions to meet their specific
needs.

Availability
PGP Whole Disk will be available at the same time as the next major
PGP Desktop release. PGP Whole Disk will be a new and separate PGP
product; an upgrade path will be available to all customers with
current PGP Desktop or PGP Corporate Disk licenses.

Last updated: 22 Apr 2005"

 

[Wayne D]

I've been wondering why someone hasn't done this before. It sounds
very interesting and useful in securing notebooks and such. Has anyone
heard of any freeware projects that are working on this:

http://www.pgp.com/downloads/beta/desktop/index.html

"PGP Whole Disk – Coming Soon

PGP Whole Disk protects the entire contents of desktop and laptop
disks, external drives, and USB flash drives using trusted PGP
technology.

PGP Whole Disk adds a full disk encryption product to the PGP product
line, allowing customers to purchase all their email, disk, mobile,
and FTP/batch encryption products from a single vendor. Available for
single desktop to large enterprise deployments, PGP Whole Disk
includes features required by customers large and small.

PGP Whole Disk protects the entire hard disk—including the operating
system, applications, and data files—making it unreadable by anyone
without the proper access credentials. Centralized preconfiguration
lets administrators set and lock policy settings and create a
customized installed. Centralized policy management allows changes and
updates to be automatically distributed via LDAP directories.

PGP Corporation now offers both a volume/file encryption product (PGP
Corporate Disk) and the new PGP Whole Disk product, allowing customers
to mix-and-match disk encryption solutions to meet their specific
needs.

Availability
PGP Whole Disk will be available at the same time as the next major
PGP Desktop release. PGP Whole Disk will be a new and separate PGP
product; an upgrade path will be available to all customers with
current PGP Desktop or PGP Corporate Disk licenses.

Last updated: 22 Apr 2005"

Here's one that you may want to try in the interim.

CompuSec PC Security Suite

http://www.snapfiles.com/get/compusec.html

"CompuSec PC Security Suite is a security software that uses pre-boot
authentication and full hard disk encryption as well as encryption of
floppy disks and other removable media. The pre-boot access control
requires you to enter your UserID and password before the system will
boot up. There are two encryption methods available, one that will keep
your data encrypted prior to boot, and one that will encrypt data on-the
fly. If the data is encrypted before boot, your hard disk can only be
accessed with the proper password (even removing the hard drive would
still keep it protected). The Full Hard Disk Encryption uses AES with
fast encryption speeds to keep your data private and secure. The program
can also encrypt floppies and other removable media, so that the files
are only accessible by the authorized user. It currently only supports a
single-user pre-boot logon. CompuSec PC Security Suite is completely free
and not limited in features. The developers also create hardware e-
identity devices that are compatible with the software and allow logon
with a USB or Smartcard key instead of typing a password. Since the
software needs to modify the Master Boot Record, it is important that you
disable any anti-virus software during installation, otherwise the
install will fail."

Regards

Wayne D

 

[Rili]

http://truecrypt.sourceforge.net/

T r u e C r y p t


Free open-source disk encryption for Windows XP/2000/2003


Main Features:

* It can create a virtual encrypted disk within a file and mount it
as a real disk.

* It can encrypt an entire hard disk partition or a device, such as
USB memory stick, floppy disk, etc.

* Provides two levels of plausible deniability, in case an
adversary forces you to reveal the password:

1) Hidden volume (more information may be found here).

2) No TrueCrypt volume can be identified (TrueCrypt volumes
cannot be distinguished from random data).

* Encryption algorithms: AES-256, Blowfish (448-bit key), CAST5,
Serpent (256-bit key), Triple DES, and Twofish (256-bit key). Supports
cascading (e.g., AES-Twofish-Serpent).

* Based on Encryption for the Masses (E4M) 2.02a, which was
conceived in 1997.

Further information regarding the features of the software may be
found in the documentation.


What is new in TrueCrypt 3.1a (released February 7, 2005)


Statistics (number of downloads and page views): Past 30 days |
Monthly [temporarily suspended]

 

[Mel]

Here's one that you may want to try in the interim.

CompuSec PC Security Suite

http://www.snapfiles.com/get/compusec.html

"CompuSec PC Security Suite is a security software that uses pre-boot
authentication and full hard disk encryption as well as encryption of
floppy disks and other removable media. The pre-boot access control
requires you to enter your UserID and password before the system will
boot up. There are two encryption methods available, one that will keep
your data encrypted prior to boot, and one that will encrypt data on-the
fly. If the data is encrypted before boot, your hard disk can only be
accessed with the proper password (even removing the hard drive would
still keep it protected). The Full Hard Disk Encryption uses AES with
fast encryption speeds to keep your data private and secure. The program
can also encrypt floppies and other removable media, so that the files
are only accessible by the authorized user. It currently only supports a
single-user pre-boot logon. CompuSec PC Security Suite is completely free
and not limited in features. The developers also create hardware e-
identity devices that are compatible with the software and allow logon
with a USB or Smartcard key instead of typing a password. Since the
software needs to modify the Master Boot Record, it is important that you
disable any anti-virus software during installation, otherwise the
install will fail."

Did you download this recently? The download link and home page link
seem to be dead.

http://www.ce-infosys.com/

 

[Chrissy Cruiser]

http://truecrypt.sourceforge.net/

T r u e C r y p t

Free open-source disk encryption for Windows XP/2000/2003

What happens when you encrypt an already encrypted file with a different
encryption version?

 

[Wayne D]

Did you download this recently? The download link and home page link
seem to be dead.

http://www.ce-infosys.com/

Just tried the link. Working right now.

Regards

Wayne D

 

[David]

What happens when you encrypt an already encrypted file with a different
encryption version?

Chaos if you get either pass-phrase wrong! ;-)}}}

 

[Rili]

Hmmn, don't know.

It is a pretty simple program to use. You might have to check that out
for yourself.

You can also download the last free version of PGPDisk here

http://www.pgpi.org/products/pgpdisk/

But I found it had a few bugs, that is why I switched to truecrypt which
works quite well.

 

[Mel]

Just tried the link. Working right now.

Thanks, looks like a good one.

 

[Marten Kemp]

What happens when you encrypt an already encrypted file with a different
encryption version?

It'll work, but you'll probably have to decrypt the file
in the reverse order of encryption (encrypt with method A
then with method B, decrypt with method B then with A).

 

[REM]

//truecrypt.sourceforge.net/[/url]
T r u e C r y p t
Free open-source disk encryption for Windows XP/2000/2003

What happens when you encrypt an already encrypted file with a different
encryption version?

Then you have layers of protection. An encrypted volumn can be
inserted into another encrypted volumn that can be inserted into
another, all using varying encryption algorithms. Each encrypted
volumn is a single file that is simply copied into another open
volumn.

I've never really tried encrypting a single file multiple times, but
there should be no problems, as long as you recall the passphrases to
decrypt in reverse order.

 

[Mel]

Then you have layers of protection. An encrypted volumn can be
inserted into another encrypted volumn that can be inserted into
another, all using varying encryption algorithms. Each encrypted
volumn is a single file that is simply copied into another open
volumn.

I've never really tried encrypting a single file multiple times, but
there should be no problems, as long as you recall the passphrases to
decrypt in reverse order.

So if you Encrypt your entire Hard Disk multiple times then wipe the
disk to DOD standards - How long will it take for them to recover the
files that were on your Hard Disk?

 

[Helen]

So if you Encrypt your entire Hard Disk multiple times then wipe the
disk to DOD standards - How long will it take for them to recover the
files that were on your Hard Disk?

With special equipment they could still read it electomagentically. Once it's on the
HD
in a sense, it's always there. FWIW, when DOD gets rid of computers, they take out
the HDs and smash them with sledge hammers....the other precautions are only
intra-agency.

 

[old john]

hi mel, you say `then wipe the disk`. why encrypt if you are giong to wipe.
if you want to wipe a disk completely for safety reasons use something like
Wipedisk!. you can input a pattern to write if you wish.
hope this helps. best wishes..J

 

[Mel]

hi mel, you say `then wipe the disk`. why encrypt if you are going to wipe.
if you want to wipe a disk completely for safety reasons use something like
Wipedisk!. you can input a pattern to write if you wish.
hope this helps. best wishes..J

After you wipe the disk it can be disassembled and the platters placed
in special equipment which will read the entire disk (the read heads are
more sensitive than the ones in your hard disk) in very small increments
(smaller than the track spacing). This allows reading of fringe
magnetism on either side of the track which contains a ghost image of
what was formally written in the track before wiping.

So if the hard disk is Encrypted the recovered ghost image will then
have to be decrypted in order to get the data that was stored on the
hard disk. (The data would have to be Encrpted before writing the data
to the disk not after) And if the data was encryped multiple time before
writing to the hard disk it would be pretty difficult to recover and
decrypt.

But their is no better security than grinding the platters into powder.

 

[REM]

So if you Encrypt your entire Hard Disk multiple times then wipe the
disk to DOD standards - How long will it take for them to recover the
files that were on your Hard Disk?

I'm no expert in disk forensics. I simply assume that there have been
vast improvements since Gutmann published his findings, for reason of
national security and such.

While the method you list above will probably stop all but the most
dedicated and sophisticated attacks, the real security is in having
the sensitive files in an encrypted volumn and then wiping the file
that makes up the encrypted volumn.

I don't think that the base volumn will work unless every bit is set
correctly. So, first the attacker would have to replicate the file
_exactly_, and then they could start the process of trying to brute
force, or whatever means of attack, to hack the encrypted file.

Truth be told, we don't know just how much success the govt. has made
in other methods of hacking an encrypted volumn. I've read of all
sorts of hypothesis for ways to decrypt without brute force. I've
heard of no real results from these methods.

I'd guess that making a large encrypted volumn, say 1 gig or so to
complicate greatly the ability to replicate bit for bit after wiping,
with one algorithm, then creating a slightly larger volumn with
another algorithm and placing the first inside, then a third, then a
fourth would result in such a bit jumbo that it would be impossible to
recreate the bit pattern of any volumn after a good wiping.

The only file that would require wiping is the final wrapper that
contains the three other volumn files. If you hit that with a full
Gutmann wipe and then wipe the free space with DOD I "feel"
certain that the data contained in the first (working) volumn can
never be recreated. I seriously doubt that even the wrapper bit
pattern can be recreated, but if it is they face the first challenge
of breaking the algorithm used, and then the second, and then the
third, and finally the fourth, after the bit patterns for each of
these is recovered = NULL.


1996 paper:

http://www.cs.auckland.ac.nz/~pgut001/pubs/secure_del.html


Home Page:

http://www.cs.auckland.ac.nz/~pgut001/

 

[David]

So if you Encrypt your entire Hard Disk multiple times then wipe the
disk to DOD standards - How long will it take for them to recover the
files that were on your Hard Disk?

About half an hour if you believe those peddling the eraser programs.

 

[David]

With special equipment they could still read it electomagentically. Once it's on the
HD

I do not believe this. No such equipment is available for sale
anywhere in the world.

in a sense, it's always there. FWIW, when DOD gets rid of computers, they take out
the HDs and smash them with sledge hammers....the other precautions are only
intra-agency.

More government waste.