We tested TDM on Embassy Trust Suite and ERAS using a pair of Dell Lattitude E6400s. One had a Seagate Momentus 160GB, 7200 RPM hard disk and the other had a Samsung PB22-JS3 Full Disk Encryption (FDE) solid state drive. Both laptops were part of the domain, but only one drive was managed by ERAS. The other was managed with Wave's Embassy Security Center locally so we could get a feel for local administration. In an enterprise environment, you definitely want ERAS to make it easier to support multiple laptops.
Unlike software disk encryption which either encrypts the drive or not, encrypting hard drives are always encrypting and decrypting the data written to and read from the drive. A drive becomes protected when user credentials--an account and password--is added to the drive. The user credentials encrypt the drive Media Encryption Key. A successful login to the drive decrypts the Media Encryption Key, granting access to the drive. The Media Encryption Key never leaves the drive. Multiple user accounts can be assigned to the drive, and each account will have its own copy of the Media Encryption Key encrypted with the user password. If you want to wipe the drive, you can have ERAS generate a new drive Media Encryption Key. NIST is considering making a Media Encryption Key change equivalent to a level-4 wipe, which requires 7 overwrite passes of a drive.
The price premium for an encrypting drive isn't as much as you might think. For example, a Seagate Momentus 160GB, 7200 RPM has a street price of approximately $88, while a similarly sized non-encrypting drive are less. The price difference between encrypting SSDs is difficult to nail down because Samsung's FDE SSD is an OEM product. A Web search showed a range of between $600 and $700 for the Samsung FDE and nonFDE 256GB drives. However, you don't need encrypting drives on all your laptops--just the ones carrying sensitive data.
ERAS is a Microsoft Management Console (MMC) plug-in. The computers in the domain show up in the Computers tab, which displays the computers' status such as drive protection.. There is also an extensive audit log that is sent to Microsoft's event log to track administrative actions . ERAS manages encrypting drives and the Trusted Platform Module (TPM) if it is installed and enabled. Management of trusted drives is fairly hands-off once the drives have been initialized and users have been assigned to them. Multiple users can be assigned to a single laptop, so that a laptop can be shared among many users, or to retain administrative privileges.
Once a trusted drive is managed by ERAS, local management is blocked. A drive administrator can view the trusted drive options, but changes can only be made from ERAS. This feature centralizes control and logging at ERAS and prevents administrators or users that have direct access to a machine from changing trusted drive settings, potentially irretrievably locking a drive. Centralized management also means that computers managed by ERAS must be connected to the ERAS server for changes to take immediate effect. If a computer is not connected, such as a laptop that is out of the office, the configuration changes are queued until the computer connects to ERAS.