To protect temporary files, swap files and printer spools, you need to encrypt the entire drive. Because the entire file system is encrypted, including the OS, drive-encryption software must load before the OS. Normally, after you power on a computer and it goes through its memory test, the boot loader will load the OS. When you install drive encryption software, it modifies the boot loader to run instead of Windows on boot. The encryption software then authenticates the user, and, on success, loads Windows. This is a much more complicated procedure than simple file or folder encryption--the point of these products is to protect the data from a thief who gets his or her hands on the hard drive, not to secure the data when copied or transmitted.
The three drive-encryption products we evaluated load on bootup, request a user name/password login or token, and then perform on-the-fly decryption and load the OS. Because the OS is encrypted, users must enter the decryption key (password or token) to boot the system. If they forget the password, an administrator can override the user's password.
Files remain encrypted on the drive. However, they are in the clear when sent over the network or copied to a removable disk or unencrypted partition/drive. When we analyzed the disk after encryption, the entire drive was encrypted except for some bootstrap code. Some features to look for are multiuser support, recovery keys, administrator overrides, centralized management and integration with PKI (public key infrastructure) and tokens, in addition to user name/password authentication.
Also, there is a difference between full-drive encryption and virtual-drive encryption. Software that performs virtual-drive encryption creates a single large encrypted file on a disk, and is presented to Microsoft Windows as a logical mountable drive. It acts like a container.
Emulation software (such as VirtualPC on the Apple Macintosh) and disk-image files have been doing this sort of thing for years. However, these virtual drives offer the same level of protection as folder-level encryption--in other words, the swap file and temporary files are unencrypted. Be careful: Sometimes the product marketing won't make this distinction clear.
Winmagic secureDoc 3.1
SecureDoc encrypts drives with DES, 3DES and AES. It also lets you encrypt individual floppy disks with the same encryption key or a key shared among a few people. We were able to encrypt two floppy disks with two different keys. The advantage here is you can protect and hide data from multiple departments within your organization. This is a unique feature--none of the other vendors supports removable drive encryption--and is enough to make SecureDoc our Editor's Choice.
Disks can be encrypted and shared among a group, which is a common activity, or reserved for the lone user. In addition, you can store the encryption key on the floppy disk instead of the hard drive, thus requiring the floppy in addition to user name/password and acting as a token. Another feature supported is locking down the removable drives. We were able to prevent the user from accessing the floppy drive, though the efficacy of this feature comes into question when you consider that the files can be uploaded easily off the computer via HTTP or FTP.
SecureDoc 3.1 Disk Encryption Software, $159 (individual license). WinMagic, (905) 502-7000, (888) 879-5879. http://www.winmagic.com
Pointsec Mobile Technologies Pointsec PC 4.0
Pointsec has fewer features than SecureDoc, but still offers a lot of options. Encryption is done via Blowfish or CAST, and the product lets you create multiple users and groups, and offers smartcard integration. Like all the products we evaluated, there is support for the administrator to generate a one-time login password in case the user forgets his or her password and needs to change it.
Users can be granted or denied access to individual partitions. And Pointsec PC can't encrypt removable media. The initial encryption process (after installing the product) runs in the background while Windows is loaded. This means users can continue to work as a drive is being converted to an encrypted format. SecureDoc offers this capability; PC Guardian's product does not. Seeing as it took us several hours to encrypt a 9-GB drive, this is a useful capability.
Pointsec PC 4.0, $42,580. Pointsec Mobile Technologies, (925) 256-2500, (800) 579-3363. http://www.pointsec.com
PC Guardian Encryption Plus Hard Disk
This product was the simplest to use and administer, but it is less feature-rich than its competitors. The program is limited to one user login/password per machine. There is no support for tokens or PKI integration, and the product will encrypt only the primary hard drive. It does, however, offer master password capabilities, custom installer-package creation and one-time password overrides. This product seems best suited for individuals and smaller departments, especially those that want an easy-to-configure package. For large installations that require good key management, multiple users and PKI, the other products would be a better choice.
Encryption Plus Hard Disk, $99.95 per seat (50 seat minimum). PC Guardian, (415) 459-0190, (800) 288-8126. http://www.pcguardian.com
RSS
