Results from Open Call: Laptop Encryption without Active Directory
Novell Cool Solutions: Tip
By Avijit Sen
Digg This -
Updated: 13 Sep 2006
Cool Solutions Reader Avijit Sen has a question about data encryption on laptops:
"We are a Novell-centric company that relies heavily on Novell file/print/IDM/ZEN. We are now required to equip all our laptops with some kind of full-disk or user-profile encryption.
The problem is that most of the commercial solutions out there require Active Directory on the administrative side. This is abhorrent to us, we like eDirectory!
I would like to know what other CoolSolutions members are doing with regard to laptop encryption, and what works best, with or without eDirectory, but certainly without Active Directory! Thanks!"
So what do you think? Send in your responses soon and we'll collect the best for publication!
I've done some research on this lately and stumbled across an open source encryption product. The product is called TrueCrypt and is available at http://www.truecrypt.org/. It seems to get good reviews from users and we are going to pilot it soon. This is a full-disk encryption product.
We are using "Safeboot" from www.safeboot.com. It integrates well with our all-Novell infrastructure, has dedicated connectors to several directories including eDirectory, and many other features. In fact, we use the default LDAP connector to link to our eDirectory metadirectory.
We are using Windows EFS to encrypt data on laptops. We set up the encryption as per Microsoft's documentation. We manually enable encryption on a number of directories in the user's profile. We use ZENworks 7 to push out Group Policy, which implements data recovery agents on the laptops, so users other than the laptop are able to unencrypt files in the absence of the laptop user. Of course, with ZEN and Group Policies you get the capabilities of AD but without having to implement AD.
Be sure to use the ZENworks agent in SP1. In addition, you will need the registry entry described in TID to avoid losing access to encrypted files after an eDirectory password change.
I've used Truecrypt for one year now, and I'm happy with it. It's a local solution only. I protect a) whole drives (removable harddisks) to be shipped for off-site backup, b) whole partitions on my notebook, and c) files - all of them eventually become virtual drives. No problems or incompatibilities during upgrades, no data loss after system crashes or accidential drive removal. Installs in a minute. Can be used by unprivileged accounts. My experience is with WinXP Home and Pro. The vendor claims it'll work with Linux, too. Did I mention it's *free*!? http://www.truecrypt.org/
We use a product called safeboot on all of our laptops and it works flawlessly. We do not use Active Directory, only eDirectory.
I would identify exactly what requires encryption and what doesn't. If possible, I would buy laptops that encrypt the drive, like ThinkPads. I would also look at free tools, like EFS - Encrypting File System. EFS is built right in to Windows, and its use should be fairly transparent to the end user after initial configuration. Also, look at what iFolder 3 has to offer.
Finding a crypto software for laptops is not so hard, the hard part is to find a software that you can both rely on and easy to administer. In our environment we rely on the security chip built into Lenovo/IBM. It makes the poweron password and local password easy to use with fingerprint recognition. The encryption of files and /or folders is also made very easy.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com