This month we looked at seven whole disk encryption products. The products in this category covered a wide range of prices and features and this is typical of the rapidly evolving market space. All products that were tested were standalone software packages that were separate from the underlying operating system (OS). One of the products tested was an open source product that has developed a large following in the industry, while all other
packages were commercial products. Several of the offerings were bundled with hardware tokens for authentication. The devices were all USB (universal serial bus), while several vendors offered other options such as SCSI and PCMCIA token devices. All of these products were not combined with other desktop security packages, such as personal firewall or anti-virus software.
As a group, these packages performed well and many offered unique features. We evaluated these products as both a single-user install and also as enterprise products. Most of the products supported dual modes of both individual and enterprise, but a few were single-user only. One of the major differences between single-user and enterprise installations was the inclusion of audit logs. While all of the products that supported an enterprise mode also supported an audit logging feature, most of the standalone units did not include an audit log feature.
All of the products in this category were expected to meet certain criteria for inclusion that included the ability to encrypt the entire boot hard disk where the operating system would reside. One product, the open source TrueCrypt, did not meet this requirement, but was included because it met the remaining criteria. In addition, all products besides TrueCrypt provided pre-boot authentication.
Many products combined the pre-boot authentication with a single sign-on functionality (SSO) that also authenticated the user to the underlying OS. All products, with the exception of TrueCrypt, included a feature to protect the data on a hard drive in the event the hard drive was removed from the machine. Finally, all products also included a feature that would ensure that no data would be lost in the event that power was lost to the system.
How we tested
All products were tested using an Emachines m6811 notebook computer with an AMD Athlon 64 3400+ CPU, with 1.2 GB of RAM. All tests were performed on a 60 GB hard drive that was wiped in accordance with the U.S. Department of Defense 5220.22-M Clearing and Sanitization Matrix Summary between tests. Once the drive was wiped, a core operating system of Windows XP Media Center Edition was installed from a Symantec Ghost version 8.0 image. The OS was patched to current levels as of November 17.
Once the base OS was installed, the only other software package that was installed was Performance Test version 6
software from PassMark. This was installed to create system performance baselines that could be compared with system performance after the software was installed and running on the system.
Each package was evaluated using 10 feature criteria:
- Does the product require user authentication before the OS starts or at login or both?
- Does the product support hard drive encryption in the event of screensaver, suspend and hibernations modes?
- Does the product support a user password with a recovery function?
- Does the product support an administrator password that is separate from the user’s?
- Does the product use a master password?
- Does installation create negative performance overall?
- Does the product protect other OS file systems that are installed on the same disk?
- Does the product allow for another OS bootloader?
- Does the product create audit logs?
- Can information about the security configuration be uncovered by booting the system to a Knoppix Live CD distribution?
In addition, each product was timed to determine how long the hard drive encryption would take.
In general, we found that performance hits due to encryption averaged one percent or less. Ease of use was quite variable with some products easy to implement and others quite
difficult. Overall, safety issues (e.g., safe removal of encryption without losing data) have been addressed in most products since the last time we looked at this product group.