Laptop/Desktop Encryption with
PGP Whole Disk Encryption
Harvard Townsend
Chief Info Security Officer
Kansas State University
harv@ksu.edu
December 12, 2008
Agenda








Why is encryption important?
Why now at K-State?
Encryption terminology
Why PGP rather than freeware?
Which computers should be encrypted?
Overview of PGP deployment plan
Overview of PGP Whole Disk Encryption
product
Product demo
2
3
Why Now at K-State?

Thefts are happening at K-State


State law requiring notification if Personal
Identity Information (PII) breached




16,000 laptops lost or stolen per week in
U.S. and European airports!
Three notification incidents, several scares
Don’t have to notify in encrypted
New data classification policy mandates it
for confidential data
Encryption products mature, affordable
4
Terminology


Encryption - process of transforming
information (referred to as plaintext)
using an algorithm (called cipher) to
make it unreadable to anyone except
those possessing special knowledge,
usually referred to as a key.
Decryption – transforming the information
back into a readable format
5
Terminology


Encryption key – the secret code used to
encrypt and/or decrypt information; you’re in
big trouble if you lose/forget this… unless
you have a key recovery system
Whole disk encryption (WDE) – all data on
the drive is encrypted, including the
operating system; master boot record often
unencrypted; aka “full disk encryption”; are
hardware WDE solutions
6
Terminology


Volume or file/folder encryption –
information in a specific file, folder, or
volume is encrypted, not the entire disk.
Usually the operating system volume is not
encrypted. Leaves you vulnerable to
temporary files, cache files, forgotten files
AES 256 - Advanced Encryption Standard
w/ 256 bit keys; descriptive of the algorithm
used to encrypt the data; the longer the key,
the harder it is to crack
7
Why PGP Whole Disk
Encryption?

SIRT evaluation process selected PGP






Met requirements
Supports Macs now
Attractive price
Superior management environment
Need a managed product to ensure data
can be recovered
TrueCrypt, which is free, can do whole
disk encryption now but does not support
centralized management of keys
8
What should be encrypted?


Data classification security standards for
confidential data:
“Should not store on an individual’s
workstation or mobile device (e.g., a laptop
computer); if stored on a workstation or
mobile device, must use whole-disk
encryption”
So this isn’t just about laptops – encrypting
desktops important too


Vulnerable to compromise
Can be stolen too
9
What should be encrypted?




Recommended for internal data too, like
student grades
Confidential or internal data not always
obvious – old files, temp files, browser
cache, deleted file remnants
Considered best practice to encrypt all
laptops
Those who travel a lot, especially out of the
country, should use WDE (remember –
16,000 laptops per week lost or stolen in
U.S. and European airports!)
10
PGP WDE deployment plan

Purchase in process







$32 instead of $38; invoice in January
Will accept more commitments until 5pm Dec.
19
After that, normal higher ed price
Developing web site with instructions, info
SIRT will develop a default recommended
configuration
Distributed deployment, like Trend Micro
Licenses distributed by Josh McCune
11
PGP WDE deployment plan

Central managed environment (“PGP
Universal Server”) available





Managed by Josh McCune
Free installation of laptop client by Tech
Service Center in East Stadium (only for
those using central service)
iTAC Help Desk for key/data recovery
Will announce it when available
Departments, colleges can set up their
own management environment
12
PGP WDE deployment plan

Purchase includes two years basic
support



All product updates, patches
Mac version that supports Boot Camp on
their product roadmap for summer 09
Two phone contacts for University



Josh McCune
iTAC Help Desk manager
8-5 M-F phone support
13
PGP WDE Overview


Whole Disk Encryption for Windows and Macs
File/Folder encryption (works with USB flash
drives)





Must have PGP license wherever USB drive used
File Shredder tool
PGP Zip archive tool
PGP Self-Decrypting archive tool
PGP Universal Server included


Runs on Linux
Works well in a virtual server environment
14
PGP for Macs

Minimum requirements:





Intel-based: Mac OS X 10.4.10 and later,
system volumes only
PowerPC-based: Mac OS X 10.4.X and Mac
OS X 10.5.X, non-system volumes only
In other words, no whole disk encryption
for Power PC-based Macs; will do
file/folder-based
Does not support Boot Camp now;
expected summer 2009
Does support running Windows in a virtual
machine with VMware Fusion or Parallels
15
PGP WDE Demo



Windows client
Mac client
Management environment
16
What’s on your mind?
17
Requirements

Full-disk encryption









Pre-boot/Pre-OS encryption
File/folder encryption optional
Strong encryption (AES 256)
Windows, Mac OS X support
Support centralized management
(configuration, keys, data recovery)
Easy installation/uninstallation
Ease of use
Minimal performance impact
USB device support desirable
18