When to use Truecrypt, and when not to?
When to use Truecrypt and when not to?
If one of your laptop goes missing, and you either A) have confidential data on the machine, or B) can't confirm that there is NO confidential data on the laptop then you need some kind of encryption scheme. Of course, you (and your organization) need to decide what criteria you want to use to consider what is confidential and what isn't. I recommend you don't neglect this step; you don't want to go to all this work if it is not necessary, nor do you want to elevate your organization's equivalent of the office's cookie recipe to a level of secrecy that demands AES-256. If you've already been through the process, then you're good to go.
My concern with Truecrypt is that my users will have 2 passsword needed to login to their machines. Also, I need to choose to either have 1 password for my organization, or carefully document each machine's password (management nightmare).
The choice between using a single password for your fleet of laptops or using unique passwords on per-machine basis depends on some question you need to think about:
If you pick a single password, will you change it every time someone who knows it leaves employment? If not, how often will you rotate it? If you pick a unique password, you'll have increased security but increased overhead too (however you won't have to rotate the password for every laptop each time an employee leaves). How will you keep track of the password rotation scheme?
My suggestion here is pick a permutation scheme that uses a number that physically stays with the laptop, like part of the serial number. Add something else to this that you can remember. The permutation scheme should be relatively hard to guess, but easy enough so that you can sit down at laptop and not have to refer to documentation. This should reduce some of the management overhead. Obviously, if you need to rotate the password for a laptop, you need to pick a new permutation scheme to "generate" your password with. This could be a simple as incrementing a digit... regardless document, document, document.
In my mind, choosing between a managed and a free encryption solution is primarily based on the NUMBER of machines that will be encrypted and supported.
Total agreement here. 30 - 50 machines seems do-able here with a un-managed solution, BUT you'll want to carefully think that through before you commit to it. Try a test rig to get an idea of what kind of overhead it will require.
- From a management standpoint, what is the tipping point of users where a managed solution would pay for itself over Truecrypt?
This depends on whether you have more time or more money. :D Like I said, there are ways to reduce the overhead of un-managed solution. The overhead may be less than you think.
2.
What are some good third party solutions? (I will consider Bitlocker, but the price to upgrade Windows 7 licenses is a turn-off)
In my opinion, only Bitlocker, but only if you already have the licenses. TrueCrypt is an excellent product in my experience. The other thing to mention about Bitlocker, is you still can't get away from the password issue... I believe the official line from Microsoft is that they do NOT recommend storing the password in TPM as it is vulnerable to a cold boot attack.
From TechNet: "The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers."
Additionally, the enterprise addition allows you use AD to store "recovery keys" (presumably copies of the keyfiles required for encryption. This is a nice integrated Windows version of TrueCrypt's Recovery Disk Functionality.
We just went through this and decided on truecrypt because of it's track record. We currently have 15 users on it and could grow quite large. There are two options:
create an image with a complicated password. Create the restore cd from this. Then have the user change it. Do not create another cd.
Or create a complcated password and have the user change it after creating the cd. After changing do not recreate the cd. This allows you to reset the password with your password that you made sure to remember.
The biggest issue is your time and energy. Good luck!