Disk Encryption and PGP
Chris | Live Tech Support | Video Help | Add to iTunes
http://live.pirillo.com/ – PGP’s “Whole Disc Encryption” sounds like a good idea. Everything is protected! But, what about the drawbacks of that? What about the fact that it’s considered a ‘feature’… one that can be disabled anytime a user chooses?
Four of my friends joined me for this discussion: Kat, SC_Thor, Wirelesspacket, and last but certainly not least… Datalore.
PGP Corporation’s widely adopted Whole Disk Encryption product has an encryption bypass “feature” that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled. The feature is also not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base.
According to PGP themselves, “PGP Whole Disk Encryption locks down the entire contents of a laptop, desktop, external drive, or USB flash drive, including boot sectors, system, and swap files. The encryption is transparent to the user, automatically protecting data.”
What good is this though, if someone decides it’s too much work? Let’s say Company A’s employee doesn’t want the hassle of going through all that to get to his files and programs. So, he disables it. Uh oh… the laptop was stolen. Now, all of Company A’s documents are accessible to anyone who can turn the laptop on. Kinda defeats the purpose, doesn’t it?
I don’t know about you, but I don’t see this as much of a “feature”. I see it as a big loophole, in an otherwise excellent product.
Want to embed this Disc Encryption and PGP video in your blog? Use this code:
Formats Available: MPEG4 Video (.mp4) Flash Video (.flv) MP3 Audio (.mp3)
6 Comments
Left Of Center
October 7th, 2007
at 11:37pm
Chris Pirillo »Disk Encryption and PGPPosted 61 minutes ago
Your Support Website
October 8th, 2007
at 4:23pm
Show Notes
Mark Swyers
October 7th, 2007
at 9:05pm
I don’t think this is a black eye at all for PGP. My guess is that this “feature” can only be turned on by a user when PGP whole disk encryption is installed in stand-alone mode. When deployed in administered mode…meaning that the enterprise has also purchased & installed PGP’s Universal Server product. The Universal Server product integrated with Active Directory and uses GPOs to control the build, features, etc of the PGP client side software. Have you checked on or validated this?
bayoujim
October 8th, 2007
at 6:40am
Once, a long time ago, in a land far far away there was a people who had privacy, where privacy was not an illusion.
John Dasher
October 8th, 2007
at 7:25am
Re: “Disk Encryption and PGP” Post
For the facts regarding the PGP(R) Whole Disk Encryption (WDE) Authenticated Bypass feature please visit
http://www.pgp.com/wde_bypass_feature.html
Quick Summary – No “backdoors”. Passphrase required. Fully documented. Documentation available.
Regards,
John Dasher
Director, Product Management
PGP Corporation
solaraddict
October 13th, 2007
at 9:02am
Or use TrueCrypt. It’s free, open source, and lacks any such backdoor.
I’m not affiliated with TC, just a happy user.