On 3/5/07, Michael Jardine <[EMAIL PROTECTED]> wrote: > Most enterprise encryption software has key recovery that can be managed > through your admin.
i suppose this gets (back) to the heart of the matter: key management. i'd love to see a survey that looks at the experiences of users, administrators, and executives dealing with FDE deployments on small and large scales. perhaps the us gov competition will provide a detailed and useful report. in particular, the process and architecture of key management for FDE implementations is what i am most anxious to see studied in detail. feedback from those on the list using FDE products would be excellent. The scale of key management plays a big role in the process/architecture: - single authority, single system (simplest case. PGP WDE for example) - single authority, multiple systems (geek with lots of hosts) - two tier authority, multiple systems (admin, local users) - two tier authority, disperse systems (admin, remote users) - n-tier authority, disperse systems (myriad variations) how many FDE deployments are keeping things simple and using a single authority or two tier with single admin? how many FDE deployments use complex n-tier authority hierarchies with quorum based (M of N) key escrow/recovery? [executives or directors holding enterprise escrow keys, for example] how many FDE deployments have to provision users/admins in large quantity or across geographic distances? how important is off line key recovery for users? (and how frequently used?) how complicated is re-keying at higher levels of the hierarchy? (is full re-key of disk keys supported?) are multiple authentication mechanisms available for different levels of the key management hierarchy, and how do they affect the above? how flexible are the FDE storage systems with regards to backups, cloning, clustering, auditing? what other aspects of FDE key management are high on your list of concerns or requirements? best regards, _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
