Recommended drive encryption solution

Solution 1:

Truecrypt : http://www.truecrypt.org/

will encrypt mobile, internal drives completely, you can even encrypt the whole system partition on the fly and then set a boot loader password - gives you more security on laptops.

and its opensource - free.

http://4sysops.com/archives/system-drive-encryption-truecrypt-5-vs-bitlocker/

Bitlocker is good too, but due to budget i would suggest use truecrypt.

Solution 2:

With Evil Maid (EM) attack tools now available for TrueCrypt, I'd go for BitLocker if I had the budget, because EM-like attacks are quite more complicated, and it integrates better with AD etc as Oskar Duveborn stated.

I suggest you read the articles of Joanna Rutkowska on both products :

http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html

http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html

But if you're sure that your coworkers will always take good care of their laptops - with safety case and all, you can go for TrueCrypt.

Side notes

• remember that full-disk encryption won't protect your data from inside [the OS], e.g. if your computer gets corrupted by a virus while running.

• remember that technical solutions is just a part of the security chain (see http://xkcd.com/538/ for details).

Edit (01-20-2010)

Additionnal details about BitLocker and EM attacks :

• Note than BitLocker will be more resilient than TrueCrypt only if used on a TPM-enabled computer.

• There are ways of defeating BitLocker+TPM (article, paper) but no public tools available AFAIK. So while BitLocker is more resilient to opportunistic EM attacks (it takes more to re-develop a spoofed user interaction screen for BitLocker than just copy the EM tool for trucrypt on a USB key), it's not 100% bulletproof (no solution is).

Solution 3:

While TrueCrypt is appropriate for a small office / home office scenario, there are many reasons to go for a paid solution in a larger business:

1. Management console
2. Integration with Active Directory, so that end users only have to log on once.
3. Remote password resets. Will an end-user need to call you for a password reset?
4. Remote kill switch. Some offer this as well.

I'm currently reviewing a couple 3rd party solutions, McAfee Total Protection for Data (formerly known as SafeBoot), and Symantec Endpoint Encyrption.

One reason I did not look into BitLocker is that I have several machines already on Vista Business and I did not want to upgrade / re-provision them.

I also looked into the PGP solution but it requires a dedicated server or certified virtual server solution to manage the software and this was too much complexity for my scenario.

Solution 4:

Word of advice. I've just found out that TrueCrypt license contains a legal "trap" that allows them to sue any user of the software, even the user is following 100% of license terms.

http://lists.freedesktop.org/archives/distributions/2008-October/000276.html

They were informed about it a long time ago by Fedora and did not fixed it in the current version, so it seems to me it is in fact a deliberate trap.

Solution 5:

No issues with truecrypt whatosever ; as long as you follow the steps on there websites for different levels of encryption.

As far as bitlocker, as Oskar has already mentioned that it will be easier to manage - but if due to cost you can't go upto bitlocker you can always use truecrypt - very good.