One of the key criteria we used when evaluating encryption products for the road warrior was: “Would I put this on my production laptop?” The issues surrounding the use of full disk encryption are important and not always obvious. When thinking about encryption, obviously one of the first questions relates to the strength of the encryption itself. However, when evaluating these five products, we found that there actually might be other functionality that is more important.
For example, can you remove the encryption easily if necessary without damage to your data? If you plan to use this product in an enterprise environment, how easy and fast is the installation process? After all, road warriors will often make their laptops available for only limited amounts of time.
And what about recoverability if the product is used in an enterprise environment and the laptop user leaves the organization?
These and other questions need to be asked and, in virtually all cases, we found that at least one answer was not what we expected.
We found that none of the products we tested was what we would have wanted on our own PCs. In one case, the product is a replacement hard disk. This looked good to us on the surface, but we found that documentation and support were lacking.
In fact, documentation and support deficiencies were the number one overall failing of the products we tested. In another case, we found that uninstall went so badly that we had to rebuild the operating system and count our data lost if it had not been backed up.
One product was intended specifically for enterprise use and had all the features required for implementation in an organization. But it requires the addition of Microsoft SQLServer. In addition to being one of the more expensive products we evaluated, this product included the hidden costs of additional hardware and software.
Our testing for these products included installation and deinstallation, functionality tests, encryption strength evaluation, disk alteration (that is, had the disk been altered after the product was deinstalled), how well the actual install/deinstall process adhered to the documentation’s instructions, and encryption/de-encryption times.
Our test laptop was prepared for each tested product by making a fresh installation of Windows 2000 with the service packs required by the product being tested. Products not requiring upgrading with service packs were considered deficient. Due to the numerous bugs and security flaws corrected by Windows 2000 service packs, we expected that any security product would require the most current service packs. That, surprisingly, was not the case for all the products.
Generally, we found that, with the exception of the product that was supplied with a pre-encrypted drive to be substituted for the laptop’s existing hard drive, encryption and decryption times were quite long. Our 10GB test disk took anywhere from a bit under an hour to well over three hours, depending on the product. While this might be expected, in an enterprise environment, it means that a lot of time is going to be spent just waiting for hard drives to encrypt.
When we received the products for testing, we planned to pick the winner and install it on a production laptop as a further test in a production environment. To date, we have not done that and we do not intend to. We found sufficient weaknesses in all the products that we evaluated to dissuade us from risking the time, effort and data to use any of them in our production environment.
Our strong recommendation is that, once you select a mobile encryption product, test it thoroughly on at least one laptop typical of your organization’s application. Perform installs and deinstalls. Verify that backups are complete and restorable. Test to ensure that the system can be recovered if the user leaves the company. And, most importantly, ensure that you have the time and resources to manage fully encrypted laptops in the field.
Pricing is fairly consistent, from $140 to $200 per user, with one notable exception.
Should you consider full disk encryption for travelling PCs? Absolutely. PCs get stolen with increasing frequency and, as we all know, it’s not the PC that we care about, it’s the data on it. Full disk encryption – which means that the boot sector is altered, not just that the disk is encrypted – is a very good idea. However, be prepared to manage the process and protect the data that, under some circumstances, may not be recoverable.