To address the issue of data leaks of the kind we've seen so often in the last year because of stolen or missing laptops, writes Saqib Ali, the Feds are planning to use Full Disk Encryption (FDE) on all Government-owned computers. "On June 23, 2006 a Presidential Mandate was put in place requiring all agency laptops to fully encrypt data on the HDD. The U.S. Government is currently conducting the largest single side-by-side comparison and competition for the selection of a Full Disk Encryption product. The selected product will be deployed on Millions of computers in the U.S. federal government space. This implementation will end up being the largest single implementation ever, and all of the information regarding the competition is in the public domain. The evaluation will come to an end in 90 days. You can view all the vendors competing and list of requirements." Source: Slashdot.org [OT] I would say a hardware go-between would be the best option here... By go-between i mean a device that is fitted between the hard drive and motherboard, ive seen them before but i don't recall there name they work by encrypting all data going to the hard disc (obviously only the DATA, not the commands to the hard drive are encrypted) and decrypting data as it comes off the hard drive... they store the encryption key on a "key" (a removable flash drive, which plugs directly into the device... this means an encryption key most users would never remember can be used). i would also suggest that the device demands the user to type a password before it allows any access to the real hard drive (hard drives can request passwords, so obviously a device between the hard drive and motherboard could do it too), this password would be used to decrypt the encryption key stored on the "key", this would help prevent individuals who had managed to obtain the hard drive and key from accessing the data (a stolen laptop for example, where the user had stupidly kept the key in the case with the laptop If you really want to get snazzy, make the device pretend to be a second hard drive. this was you can request tow passwords, one to decrypt the encryption key and the other to unlock hard drive (although hard drive passwords are ineffective as the don't actually encrypt the data on its platters its still another obstacle) A Hardware Solution beats a software solution hands down, as the software solution would have to run under the OS (FULL disc encryption, otherwise a possible attack would be to modify the OS to start a file server), it might cost more... but i don't think this is really an issue to a government which has a bigger 'defense' budget than the rest of the world put together! They also want data on removable discs to be encrypted too, which is best deal with by software (if you want to use standard hardware) [/OT]
more so, why are employee's allowed to take critical data home / out with them? sure they securest way to do it would be to load a copy through a VPN if they need it... and overwrite the page file with random data every so often, it should be possible to do while the machine is running as long as you can keep windows from using the part of the disc your blanking (or better, shredding). of course, any temporary files would have to be shredded when the file is closed.
