Last time we talked about full disk encryption with pre-boot authentication as the most secure way to encrypt a hard drive. Now we start getting into some more depth around full disk encryption.First on the list: Understanding how it affects the users both during and after deployment. We generally hear some typical concerns from customers so we’ll do a little Q&A on some typical questions.
Q: How long will it take to encrypt a drive?
A: Deployments to computers in an environment can take a long time. Putting the encryption software on computers is generally the easy part and this can happen quickly. Waiting for the disk to encrypt on the other hand can take a long time. The speed of encryption will depend on several things such as the size of the hard drive, speed of the hard drive, what options have been set for encryption and the software that is used to encrypt the drive.
You should also realize that the entire disk is encrypted (not just the data) so when figuring out how long it will take use the entire size of the disk in your calculation. So understanding all of the variables, encryption of a hard drive is estimated around 10-20 GB per hour. Some may go faster…some may go slower.
Q: Can I shutdown my computer during the initial encryption?
A: The encryption of the drive may take several hours but the user can use the drive during the initial encryption. So if a user is using the computer what would happen if they shut down the computer while it is encrypting or what if the computer were to lose power? This depends on the solution you are using to encrypt the drives and sometimes the options set for the encryption process.
Many solutions will automatically encrypt the drive in a way that it can be shutdown without harming the encryption process and others generally provide options for the encryption process that allow the computer to be shutdown during encryption. These options will often slow the encryption process because it performs the encryption in a different way which prevents hard drive issues.
If the solution does not write the encryption in such a way to allow shut down or if the proper options are not set you could harm the data on the hard drive by shutting it down or by losing power. Make sure you understand what the solution will do!
Q: Will computers be slower after they are encrypted?
A: The honest answer is yes…but in reality you should not notice any slowness. Most vendors will tell you their solution will take a 2-3% hit on your CPU but real world experience shows that it is more than that.
I still have not had any complaints from users or customers that their computer is slow due to encryption. You shouldn’t notice any difference once the initial encryption is complete.
Q: What will users experience during and after deployment?
A: With most solutions the deployment process can be fairly invisible to users if the deployment is properly planned and tested. Installations can be pushed out through common distribution methods…making sure the vendor can provide MSI files may make it easier depending on the tools you use.
The initial encryption can take place in the background while the user works although the user will notice slowness in the computer while the initial encryption is performed. During deployment the user may have to go through some enrollment process but this is usually minimal and is sometime silent.
After the deployment is complete the user will notice a new screen when they turn on the computer. They will have to authenticate at the pre-boot authentication screen before being allowed to boot the computer (as we talked about before this is a critical security feature). Depending on the authentication mode they will either be prompted with their normal logon or single sign-on will automatically log them on to the operating system.
Other than this the computer will act as it always has and the user will be able to use the computer as normal.
Q: Can multiple users use one computer?
A: This seems like a simple question but this is one of the areas that become the most problematic. Understanding the issue requires a little explanation... which we’ll get to in our next session.
Sorry…I kind of feel like Ryan Seacrest doing that to you but this topic needs some explanation and deserves some real focus. Keep following along in this encryption series.
We’re just starting to get into the good stuff with lots more to come.
Bryan Spinner
Security Consultant
D&D Consulting Ltd.
Previous posts in the Encryption series:
Full Disk Encryption Vs. File Level Encryption
Central management is key
6 steps to a successful strategy
Compliance & Reporting
Where's all the magic security dust gone?
Series Intro
D&D Consulting Ltd | 3 Columbia Circle | Albany NY 12203 | T: (518) 218 0900 | F: (518) 218-1829 | info@dandd.com | www.DandD.com
Posts
0 comments:
Post a Comment