Windows XP Full Disk Encryption - What are the options?
I've been ask to look at full disk encryption software for our mobile users. We're running Windows XP SP3 PCs on a domain and my understanding is that we will not be upgrading to Vista and have no current plans to upgrade to Windows 7. This would seem to rule out Bitlocker. We'd like to look at two different types of solutions:
- An Active Directory-integrated solution that syncs Domain accounts and passwords for single-sign on to a PC. This solution should allow Domain Admins to access any encrypted drive and gets bonus points if decryption/encrypted disk access authority can be delegated to non-Domain Admins on the Help Desk.
- A solution that runs on each PC individually or in some sort of workgroup mode that allows a single master password to decrypt the laptop's drive. Syncing with Domain user accounts and passwords would also be nice, for end-user single-sign on.
The solution must be reliable (e.g. not lose password sync when a user is forced to change her Domain password on the road.) This is a small shop, so ease of administration is important.
The powers that be may rule out TrueCrypt because of its recent security vulnerability, but for the purpose of the question, I'd like to hear how well it meets these requirements. Same thing with BitLocker - it may be ruled out because of a lack of desire to upgrade Windows, but I'm interested in the job it does on Vista/Windows 7.
Why, TrueCrypt!
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Using TrueCrypt Without Administrator Privileges
In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.
After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.
.
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.
Domain access is after the pre-boot login.
However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.
We use Guardian Edge Encryption Plus where I work. It's quite easy to use and has a single sign-on feature like you are looking for. I've set it up and used it on several laptops and am impressed with how non-interfering it is. Aside from the initial encryption, it's operation is rarely noticed and (in my experience) never impacted the overall performance of the system.