Personally, I can't think of a compelling reason not to use Full Disk Encryption. It takes the decision away from the user. Even for the tech-savvy user, why waste your time and energy putting together policies for what to encrypt, and which temp files, and don't forget to flush the cache? It is far simpler to just encrypt the entire drive and be done with it. In an enterprise environment, the choice becomes even more obvious. To me, the only question is whether to use software-based FDE, or hardware-based.
Regards, Michael ________________________ Michael Jardine SECUDE IT Security - Seattle From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Garrett M. Groff Sent: Thursday, June 21, 2007 3:18 PM To: [email protected] Subject: [FDE] compelling reason to do FDE in lieu of EFS? For the average standalone machine that is in need of adequate security (but not military grade security), is there a compelling reason to use anything beyond EFS (encrypting file system)? Before you answer, first, let's assume that the EFS user in question understands that he needs to encrypt his %temp% folder (or, better yet, all folders under %userprofile%), in addition to the specific folders to protect that may reside elsewhere in the file system. Let's also assume that he knows to encrypt his page file(s) (and hibernation file, if applicable) as well. Isn't that pretty strong security, assuming Joe Shmoe's password is non-trivial (reasonably long w/ sufficient entropy)? Again, I realize that most users don't know to encrypt %temp% or their page file, but again, for a more savvy user, wouldn't EFS provide a pretty high level of security for data at rest? - Garrett G.
_______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
