Encrypting the entire system partition of a given Windows machine makes it that much more difficult for an attacker to steal data or for a lost computer to leak company secrets.
There's more than one way to add full-system encryption to a Windows desktop or laptop. The most obvious way to do this is by using the operating system's built-in BitLocker feature, which supports encrypting standalone volumes as well as the system volume. Many third-party packages now make it possible for administrators to add full-disk encryption to Windows without relying on BitLocker. They can be handy in a number of scenarios:
- You have editions of Windows that don't support BitLocker, such as Windows 7 Home Premium. This is less likely if you're in a large organization, but if you're in a mom-and-pop operation, it's entirely possible.
- You want features that BitLocker doesn't support at this time, such as administration for machines that aren't part of a domain.
- You want to support both Windows and non-Windows machines in a consistent fashion, and you don't want to use BitLocker on the former and something else on the latter.
TrueCrypt vs. BitLocker
The issue of supporting both Windows and non-Windows machines leads to the BitLocker alternative of TrueCrypt. Thisopen-source encryption system runs on Windows, Mac OS X and Linux and is a good substitute when BitLocker isn't available for Windows protection.
Like BitLocker, TrueCrypt has preboot protection (you must supply a password at startup) and support for recovery disks. In fact, it requires the creation of a recovery disk before starting the encryption process. TrueCrypt also has transparent encryption, so the encryption process can take place while the user continues to work with the system. Its largest and most compelling feature is the price tag: TrueCrypt is completely free to use on any number of computers.
What TrueCrypt lacks most are management tools, which makes the product a tough sell for any organization larger than a few seats. TrueCrypt has no direct integration with Active Directory (AD), unlike BitLocker, which is a native Windows component. Such integration allows for the storage and recovery of encryption keys in an AD repository, for instance -- a massively important central management feature. With TrueCrypt, if you lose the key, your only hope for recovery is the separate recovery disk you created. (You do still have that lying around, don't you?)
BitLocker's Trusted Platform Module (TPM) support is another major feature that TrueCrypt doesn't yet have. TPM hardware is used to store security credentials -- such as encryption certificates and biometric data -- on machines typically sold for corporate deployments. TrueCrypt's lack of TPM support is not a design shortcoming, however, but rather a deliberate omission. The creators of TrueCrypt claim that TPM provides "a false sense of security." Whether or not you agree with this assessment, TPM is still commonly used in enterprise settings, and your organization may be reluctant to rely on an encryption system that doesn't even allow it as an option.
If you're working in a mixed-platform environment, BitLocker does not perform full-system encryption on anything but Windows at this time. That said, various editions of Linux come with full-disk encryption as a standard option, and Mac OS X 10.7's FileVault now has native system-disk encryption as well.
TrueCrypt is far from being the only third-party, full-disk encryption system, although it is often mentioned simply because of its simplicity and affordability. Two other products, McAfee Endpoint Encryption and Symantec Endpoint Encryption, are absolutely worth considering. ("Endpoint protection" is a common euphemism for a product that includes a whole suite of functions not limited to full-system encryption.)
McAfee and Symantec's programs add functionality that is not natively present in BitLocker. Symantec's product, for instance, sports the following features that expand heavily on BitLocker's own functionality:
- Management for clients not controlled by Active Directory Management Services, as well as nondomain clients. This is handy if you have machines that are not under AD's umbrella for technical reasons.
- Support for Novell eDirectory clients, in the event you're managing endpoints via that infrastructure.
- Support for single sign-on in both AD and Novell environments, integrated with the preboot authentication process.
These features sound like good reasons to use third-party endpoint encryption in place of BitLocker, but you should keep a few things in mind. First, any third-party product (barring TrueCrypt, perhaps) is going to incur a per-seat licensing cost above and beyond the basic cost of a Windows license. It's not hard to see that additional cost as an investment in security, but not everyone in your organization might share that belief.
Second, a third-party product will incur a deployment cost -- not money, precisely, but the time and effort involved in setting it up, educating users about how the new technology works and what it's for, and making sure the disaster-recovery and key-escrow technologies work as intended. Granted, this is also bound to happen if you're using BitLocker, but that technology has the slight advantage of being a native part of Windows.
The biggest reason to use something other than BitLocker for full-system encryption is if the competing product provides something vitally important that BitLocker simply doesn't do yet. Microsoft changes the feature set for its core programs very slowly, with Windows being on the slowest refresh cycle. Microsoft doesn't want to change things so quickly that any attempts to build on top of Windows as a deployment platform are negated. That leaves plenty of room for third-party software makers to leap in and fill the gap, as many have done.
ABOUT THE AUTHOR:
Serdar Yegulalp has been writing about personal computing and IT for more than 15 years for a variety of publications, including (among others) Windows Magazine, InformationWeek and the TechTarget family of sites.
This was first published in November 2011