Hard Disk Encryption
 

I've searched and then read several threads on hard disk encryption. I use Pointsec on a machine provided by a client, so understand locking out before boot and encrypting a whole drive.

What I want to to do is encrypt a drive or key folders on my personal machine. I would like something that is free, easy to install and use, won't lock me out of my data (password recover?). I read the forum items on TrueCrypt and somewhere came across Compusec. What do you FT experts recommend?

Why not just use TrueCrypt?

I'm playing with TrueCrypt right now.

I guess I'm not sure of the finer points/value gained lost between using something like TrueCrypt and CompuSec. Would I just be overly paranoid at using a free equivalent to Pointsec (CompuSec) vs. TrueCrypt?

I use PGP's Whole Disk Encryption Product and am really happy with it. The system won't even boot without the decryption password.

Just had a project at work for this exact subject. We chose PGP's Whole Disk encryption for the individual laptops, seems like the retail was like $150 a seat, but I think it can be had for much less online.

TrueCrypt is the best if you want to make an extra drive (ie: D: drive) on your laptop that is your "encrypted" drive. On work machines I used TrueCrypt (it's free, too) and keep all my work stuff on the "open" regular C: drive and personal stuff like family phone lists or whatever I keep on the encrypted "D:" TrueCrypt drive.

PGP was the best solution for someone that wants 100% of the laptop data useless if stolen and the Enterprise version allows the help desk to give a user a temp password if they forget their boot password. Well done product.

There are other products I had to review for this project but it came down to these two - PGP Whole Disk for the complete full-disk encryption, TrueCrypt for the "additional drive" type volume encryption.

Does this slow the system at all to a noticeable level? I've heard that Macs suffer from reduced processing speeds...

When you look for your next notebook, you may want to look for one that features "TPM 1.2"

This is a hardware based encryption module that is featured on many business-class notebooks sold over the last 6-12 months. You may not find it at the local retailers, but major notebook manufacturers typically offer it.

The TPM (Trusted Platform Module) let's you encrypt individual files or directorites. You can even create entire hidden encrypted partitions. It doesn't appear to slow down my machine at all.

The chip is on the mother board, so even if someone pulls out the drive and puts it in another machine, without a password, their stuck.

So don't forget your password. Alot of notebooks now even let you manage that with a fingerprint reader.

"Older" machines may feature the 1.1 version, but I believe the 1.2 version is the one that will support the Windows Vista advanced security features.

Cromely.

* Truecrypt.
* Windows Encrypting File System (a dog).
* TPM equipped laptops (Many IBM/Lenovo thinkpads have it).
* PGP WholeDisc encryption.

TPM's don't do disk encryption
 

The TPM itself does not provide the disk encryption, however it provides "secure storage" for the encryption keys that may be used to encrypt the disk contents. Today, laptop manufacturers include their own tools to allow the user to manage the TPM (including 1.1) and make some use of its secure storage capabilities, however as you mention Vista will take direct advantage of it (BitLocker disk encryption).

Long term, a TPM is a useful thing to have in a computing device as it, coupled with specs that are being developed in the Trusted Computing Group, will provide stronger measures of a device's integrity, and allow apps to be built on top that take advantage of that integrity.

anotherbrian succintly summed it up. TPM by itself doesn't buy you anything without a software stack on top of it that weaves the keys for OS' encryption support back into the TPM. Vista will do that through the BitLocker program.

AFAIK, some other laptop vendors have proprietary solutions. I haven't seen any commercial "user" level applications that use TPM yet. Maybe I didn't look hard enough.

Most of the TPM/TSS stuff is still at the level of device drivers that software people get excited about. Nothing an end-user can leverage simply.

Truecrypt doesn't do password recovery. But also keep in mind that if there's some sort of recovery/backdoor, that means that your data probably isn't secure because someone else could use it, too.

I've been giving TrueCrypt a play and it seems easy enough to use.

I downloaded Compusec, but with no one on FT having used it or recommending it I probably will stick with TrueCrypt for now.