The $90,000 Laptop

  • Comments posted to this topic are about the item The $90,000 Laptop

  • We go travelling and take out a travel insurance, we insure our houses, our lives etc. but regularely fail to take even the most elementary measures when it comes to the data we have been trusted with. Guess some substantial change of mindset is required.

    😎

  • A health care provider I know of had a laptop stolen out of the car of a home care nurse. With HIPPA and everything else, it could have cost them 7 figures - for a single laptop. There's no excuse for not having drives encrypted.

    Then again, I have a desktop at work and even it has full-disk encryption on it. It's a pain sometimes, but it's worth it to mitigate the risk from a smash and grab break-in.

  • Ed Wagner (12/13/2015)


    ...Then again, I have a desktop at work and even it has full-disk encryption on it. It's a pain sometimes, but it's worth it to mitigate the risk from a smash and grab break-in.

    I was at a place where we turned up one Monday morning to find out that a whole department had been "rolled over". On each desk there was a monitor, mouse and keyboard i.e. no box!!!

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Can Bitlocker be installed after the Window OS has already been installed?

    The website says that the OS has be installed first which is problem for Home Users who usually buy Pcs with the OS pre-installed.

  • We try to limit any data actually on the laptops (down to zero if possible). But we haven't taken that next step, yet.

  • mastersql (12/14/2015)


    Can Bitlocker be installed after the Window OS has already been installed?

    The website says that the OS has be installed first which is problem for Home Users who usually buy Pcs with the OS pre-installed.

    BitLocker is only available with the Ultimate, Enterprise, and Professional editions of Windows.

    What I use on my personal laptop is a free open-source solution called DiskCryptor, which works with any edition of Windows starting with XP. You can (and must) install it after installing Windows. After installing and setting up an encryption phrase and password, it takes a few hours to encrypt existing data on your HD. After that, it simply prompts for the password each time you reboot. Beyond that it's totally transparent and works without a hitch.

    https://diskcryptor.net

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • The editorial mentions revoking and reissuing keys for TDE.

    To my knowledge that isn't possible. It's not like message exchange, when you encrypt the whole disk you're talking about gigabytes of information, which would have to be first decrypted and then re-encrypted--and that takes *hours*--at least. Heaven help you if the process gets interrupted...

    Key management is the dirty little secret in TDE. Lose the keys and you lose the drive--and thus the data.

    For SQL Server specifically the answer is NOT encrypted hard drives, it's leaving the database (especially development data) on the servers and using encrypted communication channels.

    That way if you lose the laptop (and why the heck are you using a laptop for development anyway????) it's just a loss of fixed assets, not the secret sauce.

  • Hi Eric

    Thats brill but does it support Window 10? I'm on Win 7 but will upgrade within the next few months :-

    https://diskcryptor.net/wiki/Main_Page

    Cheers

  • mastersql (12/14/2015)


    Hi Eric

    Thats brill but does it support Window 10? I'm on Win 7 but will upgrade within the next few months :-

    https://diskcryptor.net/wiki/Main_Page

    Cheers

    I've seen references to folks having issues upgrading from Windows 7 / 8 to Windows 10 with DiskCryptor in place. Upgrading the OS on an encrypted disk is sketchy, so some have suggested uninstalling DiskCryptor, upgrading to Windows 10, and then re-installing DiskCryptor. I would suggest doing something similar with any full disk encryption solution.

    http://answers.microsoft.com/en-us/windows/forum/windows_10-windows_install/does-having-diskcryptor-software-cause-error-in/052af99e-6117-4b60-8d6a-f7db8126b50b?auth=1

    http://serverquestions.com/questions/jdfi/can-i-upgrade-a-diskcryptor-encrypted-windows-8-1-machine-to-windows-10

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • roger.plowman (12/14/2015)


    The editorial mentions revoking and reissuing keys for TDE.

    To my knowledge that isn't possible. It's not like message exchange, when you encrypt the whole disk you're talking about gigabytes of information, which would have to be first decrypted and then re-encrypted--and that takes *hours*--at least. Heaven help you if the process gets interrupted...

    Key management is the dirty little secret in TDE. Lose the keys and you lose the drive--and thus the data.

    For SQL Server specifically the answer is NOT encrypted hard drives, it's leaving the database (especially development data) on the servers and using encrypted communication channels.

    That way if you lose the laptop (and why the heck are you using a laptop for development anyway????) it's just a loss of fixed assets, not the secret sauce.

    I assume by TDE, you mean total disk encryption. I've seen that referred to as whole disk encryption or full disk encryption. In SQL Server, TDE is encryption with Transparent Data Encryption.

    You can redo key encryption in Bitlocker, and some of the others. It does require decryption, but it can be done in the background. Potentially an issue, but certainly worth doing if you suspect your keys might be compromised.

    More the issue with redoing encryption is places where possible key or data compromise might allow someone time to crack your key. This is less likely with disk encryption.

    For SQL Server servers, TDE isn't a bad idea, nor is full disk encryption. If there's a possibility of physical disk loss. That's not too likely with SQL Servers. More you would lose an MDF/LDF/NDF, so TDE makes sense. Certainly backups need to be protected, and definitely network layers where data is in transit.

  • Not only does full disk encryption protect your data in the event of theft, it also renders the device practically unusable or at least the thief now has to invest more time and money in re-installing the operating system. If we can make the secondary market for stolen devices (and encrypted data) unprofitable, then we can hopefully deter the incentive for device theft in the first place.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • mastersql (12/14/2015)


    Can Bitlocker be installed after the Window OS has already been installed?

    The website says that the OS has be installed first which is problem for Home Users who usually buy Pcs with the OS pre-installed.

    The first thing that has to be done is setting up the system(boot) partition and the OS partition as two separate partitions, and that is the problem when the OS is already installed in the boot partition. If the OS was installed in a separate partition from the boot partition, Bitlocker can be installed straight away - if not the disk needs to be partitioned properly before Bitlocker can be installed, and in the bad old days this required re-installation of the OS. However, way back in Vista days MS developed a tool to do the necessary split when the OS was already installed, so that this isn't (or at least shouldn't be) a big problem any more (of course the user still t to back up non-OS data before doing this, and probably still needs to know the activation code for his OS).

    The real big problem for home users is that Bitlocker doesnt run on Home or Home and Student versions of any OS, only on Professional and higher versions; most home users buying a laptop (or a desktop) buy it with an OS edition that doesn't support Bitlocker. But most people who are using a computer for work at home will have Profesional or higher edition OS for one reason or another.

    Tom

Viewing 13 posts - 1 through 12 (of 12 total)

You must be logged in to reply to this topic. Login to reply