1

in my environment here we have started using trucrypt to encrypt and protect our laptops that are being brought out of the office. The issue comes with the password, we can document the passwords and assign them to users but if they simply use the program to change the password, and then forget it we are in trouble.

We backup our data to external locations so it should be fine, but is there any way to install a bypass to be able to boot the laptop or stop users changing their password (while they have local admin access)?

Or should we try another solution?

thanks.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • I guess you didn't read the documentation or pay attention to the installation *wizard* before you deployed it company wide? – Warner Apr 01 '10 at 03:40

4 Answers4

5

Truecrypt has a recovery disk option, which it all-but forces you to complete before encrypting the disk. That CD can be used to recover the partition even if the password has subsequently been changed.

Outside of this if you're after a more robust and enterprise-ready solution, PointSec offer full-disk encryption with administrative recovery abilities.

Chris Thorpe
  • 9,953
  • 23
  • 33
  • How exactly? I have tried this method but there was no way to recover without knowing the password that I saw? –  Apr 01 '10 at 02:13
  • 1
    So with the recovery CD you should be able to restore the original disk track information. Once that information is restored, the original volume password should work as expected and allow the drive to be decrypted. When the password is changed, the disk data stays the same, only the header is updated. So by swapping the header back, the original password should function as it originally did. They may have changed this behavior now, but this is how I remember it operating 6 months ago. – Chris Thorpe Apr 01 '10 at 02:48
  • Confirmed by the FAQ: http://www.truecrypt.org/faq see 'We use TrueCrypt in a corporate/enterprise environment' question. – Chris Thorpe Apr 01 '10 at 02:50
  • This is very nice. Thankyou :D –  Apr 01 '10 at 04:39
0

TrueCrypt has no backdoor or master key, so if you lose the password to an encrypted volume, you will have a problem. If this is an important situation for you, the recovery CD will be an important step to take.

Grant Palin
  • 342
  • 2
  • 3
  • 18
0

Full disk or volume encryption products targeted at medium to large business have built in recovery options. At a basic level the encryption key is stored in a central directory and updated when changed (when the machine comes back on the network anyway). BitLocker can do this with Active Directory. More advanced solutions such as Pointsec and Sophos use several layers of encryption keys, and typically:

  • the disk/volume is encrypted with a machine key
  • the machine key is encrypted with a user key
  • both keys are managed in a central database

This provides a lot of advantages, for example multiple users can access an encrypted disk with their own key (password, passphrase, token, etc).

You typically pay a lot for these, compared to TrueCrypt, so you would need to understand if all the benefits outweigh the cost.

So in your case, regular reliable (and tested) backups of the laptop data are a good step to protect against someone suffering a memory fault and being denied access to their encrypted data.

William
  • 1,158
  • 8
  • 9
0

It looks like that both Bitlocker and Truecrypt can be bypassed if they're mounted on a computer: http://www.net-security.org/secworld.php?id=9077

Ecio
  • 121
  • 3