December 12, 2015 at 11:36 am
Comments posted to this topic are about the item The $90,000 Laptop
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
December 13, 2015 at 2:35 am
We go travelling and take out a travel insurance, we insure our houses, our lives etc. but regularely fail to take even the most elementary measures when it comes to the data we have been trusted with. Guess some substantial change of mindset is required.
😎
December 13, 2015 at 2:14 pm
A health care provider I know of had a laptop stolen out of the car of a home care nurse. With HIPPA and everything else, it could have cost them 7 figures - for a single laptop. There's no excuse for not having drives encrypted.
Then again, I have a desktop at work and even it has full-disk encryption on it. It's a pain sometimes, but it's worth it to mitigate the risk from a smash and grab break-in.
December 14, 2015 at 1:34 am
Ed Wagner (12/13/2015)
...Then again, I have a desktop at work and even it has full-disk encryption on it. It's a pain sometimes, but it's worth it to mitigate the risk from a smash and grab break-in.
I was at a place where we turned up one Monday morning to find out that a whole department had been "rolled over". On each desk there was a monitor, mouse and keyboard i.e. no box!!!
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
December 14, 2015 at 5:44 am
December 14, 2015 at 6:53 am
We try to limit any data actually on the laptops (down to zero if possible). But we haven't taken that next step, yet.
December 14, 2015 at 7:09 am
mastersql (12/14/2015)
Can Bitlocker be installed after the Window OS has already been installed?The website says that the OS has be installed first which is problem for Home Users who usually buy Pcs with the OS pre-installed.
BitLocker is only available with the Ultimate, Enterprise, and Professional editions of Windows.
What I use on my personal laptop is a free open-source solution called DiskCryptor, which works with any edition of Windows starting with XP. You can (and must) install it after installing Windows. After installing and setting up an encryption phrase and password, it takes a few hours to encrypt existing data on your HD. After that, it simply prompts for the password each time you reboot. Beyond that it's totally transparent and works without a hitch.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 14, 2015 at 7:12 am
The editorial mentions revoking and reissuing keys for TDE.
To my knowledge that isn't possible. It's not like message exchange, when you encrypt the whole disk you're talking about gigabytes of information, which would have to be first decrypted and then re-encrypted--and that takes *hours*--at least. Heaven help you if the process gets interrupted...
Key management is the dirty little secret in TDE. Lose the keys and you lose the drive--and thus the data.
For SQL Server specifically the answer is NOT encrypted hard drives, it's leaving the database (especially development data) on the servers and using encrypted communication channels.
That way if you lose the laptop (and why the heck are you using a laptop for development anyway????) it's just a loss of fixed assets, not the secret sauce.
December 14, 2015 at 7:52 am
Hi Eric
Thats brill but does it support Window 10? I'm on Win 7 but will upgrade within the next few months :-
https://diskcryptor.net/wiki/Main_Page
Cheers
December 14, 2015 at 8:01 am
mastersql (12/14/2015)
Hi EricThats brill but does it support Window 10? I'm on Win 7 but will upgrade within the next few months :-
https://diskcryptor.net/wiki/Main_Page
Cheers
I've seen references to folks having issues upgrading from Windows 7 / 8 to Windows 10 with DiskCryptor in place. Upgrading the OS on an encrypted disk is sketchy, so some have suggested uninstalling DiskCryptor, upgrading to Windows 10, and then re-installing DiskCryptor. I would suggest doing something similar with any full disk encryption solution.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 14, 2015 at 9:14 am
roger.plowman (12/14/2015)
The editorial mentions revoking and reissuing keys for TDE.To my knowledge that isn't possible. It's not like message exchange, when you encrypt the whole disk you're talking about gigabytes of information, which would have to be first decrypted and then re-encrypted--and that takes *hours*--at least. Heaven help you if the process gets interrupted...
Key management is the dirty little secret in TDE. Lose the keys and you lose the drive--and thus the data.
For SQL Server specifically the answer is NOT encrypted hard drives, it's leaving the database (especially development data) on the servers and using encrypted communication channels.
That way if you lose the laptop (and why the heck are you using a laptop for development anyway????) it's just a loss of fixed assets, not the secret sauce.
I assume by TDE, you mean total disk encryption. I've seen that referred to as whole disk encryption or full disk encryption. In SQL Server, TDE is encryption with Transparent Data Encryption.
You can redo key encryption in Bitlocker, and some of the others. It does require decryption, but it can be done in the background. Potentially an issue, but certainly worth doing if you suspect your keys might be compromised.
More the issue with redoing encryption is places where possible key or data compromise might allow someone time to crack your key. This is less likely with disk encryption.
For SQL Server servers, TDE isn't a bad idea, nor is full disk encryption. If there's a possibility of physical disk loss. That's not too likely with SQL Servers. More you would lose an MDF/LDF/NDF, so TDE makes sense. Certainly backups need to be protected, and definitely network layers where data is in transit.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
December 14, 2015 at 11:02 am
Not only does full disk encryption protect your data in the event of theft, it also renders the device practically unusable or at least the thief now has to invest more time and money in re-installing the operating system. If we can make the secondary market for stolen devices (and encrypted data) unprofitable, then we can hopefully deter the incentive for device theft in the first place.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 31, 2015 at 8:06 am
mastersql (12/14/2015)
Can Bitlocker be installed after the Window OS has already been installed?The website says that the OS has be installed first which is problem for Home Users who usually buy Pcs with the OS pre-installed.
The first thing that has to be done is setting up the system(boot) partition and the OS partition as two separate partitions, and that is the problem when the OS is already installed in the boot partition. If the OS was installed in a separate partition from the boot partition, Bitlocker can be installed straight away - if not the disk needs to be partitioned properly before Bitlocker can be installed, and in the bad old days this required re-installation of the OS. However, way back in Vista days MS developed a tool to do the necessary split when the OS was already installed, so that this isn't (or at least shouldn't be) a big problem any more (of course the user still t to back up non-OS data before doing this, and probably still needs to know the activation code for his OS).
The real big problem for home users is that Bitlocker doesnt run on Home or Home and Student versions of any OS, only on Professional and higher versions; most home users buying a laptop (or a desktop) buy it with an OS edition that doesn't support Bitlocker. But most people who are using a computer for work at home will have Profesional or higher edition OS for one reason or another.
Tom
Viewing 13 posts - 1 through 12 (of 12 total)
You must be logged in to reply to this topic. Login to reply