Re: [FDE] FDE Digest, Vol 32, Issue 4
Wall, Kevin
> I would suggest a quick scan of the press releases for the
> Major FDE players gives you a good sense.
...snip...
> WinMagic - Mount Sinai (Laptops & Desktops)
> Pointsec / CheckPoint - Wells Fargo (Laptops and Desktops)
> Guardian Edge - VA Affairs (Laptops and Desktops)
> Mobile Armor - Army (Laptops & Desktops) , Navy (Laptops &
> Desktops) (Listed Myself last :) )
>
> Generally, I would tell you from doing this for almost 15
> years now and working with every major vendor in this market
> - that companies usually lead with encrypting laptops but
> follow with encrypting all machines. Regulatory regulated
> industries, particularly Financial Services, lead this due to
> the audit findings and fines related to GLBA.
I would think that one reason for this is that TPM is not nearly
as common in desktop models as in laptops and the best FDE leverages
TPM. In fact, you hear in many web forums, mailing lists, etc. how
TPM is not really even needed on desktop PCs anyway. But once TPMs
reach some critical mass on desktops, then FDE on desktops might start
becoming more common.
-kevin
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin...@qwest.com Phone: 614.215.4788
"Linux *is* user-friendly. It's just choosy about its friends."
- Robert Slade, http://sun.soci.niu.edu/~rslade/bkl3h4h4.rvw
_______________________________________________
FDE mailing list
F...@www.xml-dev.com
http://www.xml-dev.com/mailman/listinfo/fde
Dmitry Obukhov
I would like to clarify that TPM is not necessary for SED. Host software may
use TPM as one of the
authentication factors, but not required to do so. So, TPM is not a factor
to limit SED on Desktops.
Even more, there is no technical factors limiting SED on desktops.
I think, the main factor is customer's perception of a house as safe place,
so the data stored
in the safe place considered safe too. It was more or less true some years
ago, but it is not anymore.
However, we have to deal with inertia in perception. It will take some time
for general public to
understand the threats.
WBR,
Dmitry Obukhov
Samsung Secure Storage
Garrett M. Groff
TPMs are rapidly becoming a normal part of desktops and laptops, thankfully.
My concern with FDE and TPMs is that, thus far, the only FDE vendor that
seems to utilize the TPM for *pre-boot integrity checking* (rather than just
cryptographic key storage) is BitLocker. BitLocker stores startup component
hashes in the TPM PCRs (platform config registers), as well as the
cryptographic key for the data on BL-encrypted volumes. Pre-boot integrity
checking mitigates a compelling attack vector for attackers and also allows
for secure "transparent operation" (meaning that no key/password is required
provided no boot components have been modified)*.
While it's possible that other software-based FDE vendors do pre-boot
integrity checking as well, I've found no information on their web sites
that they use the TPM for anything besides secure key storage.
* Note: I realize that transparent operation (Basic Mode, in BitLocker
terminology) is not nearly as safe as requiring a password/PIN/token due to
attack vectors against the OS, RAM attacks, etc. But it's much safer than
transparent operation mode *without* a TPM, which is little more than
security by obscurity.
- Garrett
[snip]
>
> I would think that one reason for this is that TPM is not nearly
> as common in desktop models as in laptops and the best FDE leverages
> TPM. In fact, you hear in many web forums, mailing lists, etc. how
> TPM is not really even needed on desktop PCs anyway. But once TPMs
> reach some critical mass on desktops, then FDE on desktops might start
> becoming more common.
>
> -kevin
> ---
_______________________________________________