Laptop Security and IronKey?
Posted in security Fri, 30 May 2008 07:20:00 GMT
This article was initially focused on the T61p's fingerprint reader and IronKey; however, I've expanded it to cover other options as well. Since the fingerprint reader has turned out to have little value in the way of security, I've turned my attention to the bulk encryption hard drives and encrypting file systems.
I've been discussing IronKey; however, other hardware crypto tokens such as smart cards and USB tokens may also be solutions.
Fingerprint Reader
After playing with the ThinkPad T61p fingerprint reader, I got thinking whether it would be useful to tie an IronKey USB key to the laptop fingerprint reader and/or require the IronKey to be present for the ThinkPad to boot. Furthermore, the laptop's hard drive could be encrypted by a key stored on the IronKey. Some interesting things to think about.
Does anyone know how secure the ThinkPad fingerprint reader actually is? The NotebookReview Forum has a thread fingerprint readers.
Update: After a bit more reading, it appears that it's impossible to eliminate use of a password for the Administrator user as mentioned in this thread. IBM references include this and this.
Encrypting Hard Drives
Modern hard drives including the Hitachi Travelstar 7K200 and the Momentus® 5400 FDE.2 Hard Drives include built-in bulk-encryption technology. Here is a thread on the ThinkPad's bulk encryption hard drive. Moving the decryption key to a removable device like the IronKey seems to make a lot of sense. This way if the laptop/hard drive was lost, it would be useless without the IronKey and the IronKey password. Is something like this in the future for laptop security? I wasn't able to find this feature on their website but it seems like an interesting option.
Encrypting File Systems
Microsoft has been offering their Encrypting File System (EFS) offering for sometime and has redesigned for Vista. Linux users also have an option with EncFS which is licensed under GPL. PGP Whole Disk Encryption is yet another option. Microsoft EFS can use keys stored in smart cards, and presumably the IronKey. I'm still not sure how popular Microsoft EFS is and whether you need a Microsoft PKI deployment or not.
With the growing number of laptop security solutions, what is the current best option and what would be the ideal option for the future? I have to admit the idea of using a USB crypto token to decrypt a hard drive seems attractive.
The ThinkPad uses a UPEK biometric reader. For any security at all, you would have to disable password entry into the laptop. All the Thinkpads that I have seen still allow password-only access to the laptop. This can be demonstrated by failing to authenticate to the biometric reader 10 times in a row.
Thus the biometric is a convenience, not a security measure.
I have a Thinkpad T61p as my work laptop at Microsoft – MS IT policy doesn’t allow the fingerprint readers to be used at all to access MS corpnet, as they’re too insecure.
Thanks for the replies. It’s good to know the ThinkPad fingerprint reader is a convenience rather than a security solution.
I’ve added additional sections to the article on encrypting hard disks and file systems. The combination of an encrypting hard disk and either IronKey (or smart card or other crypto token) seems like an attractive solution. Is anyone offering this right now?
“I review this site and getting good idea and view that written here, life lock is good industry taking good steps keep monitoring identity thieves and it always protect from wrong hands’ and taken full service . No one stop identity theft, but we almost completely cover it and its life lock guarantee. So we suggest visit this site hope you getting more knowledge. IDENTITY THEFT PROTECTION “
I love the idea so bad!
ed