The Hard Disk Encryption Evaluation project is being conducted at the request of ITAG and led by Jonathan Hunt. The goal is to identify a product that can be utilized with relative easy to encrypt data on local hard drives in an effort to better protect against sensitive data therby lowering MIT's risk at exposing sensitive data. The target audience is laptops as they are more likely to "disappear", but we do not anticipate and reasons why a desktop would need a different solution.

Problem: MIT is at risk for sensitive data exposure when laptops and other hardware is stolen or left unattended.

Solution: Provide a technical solution to lower that risk by encrypting sensitive data on hard disks in laptops (and desktops). 

The goals of the encryption solutions are:

1. Ease of use (if it is hard to use, it won't be used)
2. Transparency to the user (beyond authenticating at login or boot up)
3. Recovery from forgotten passwords (don't loose the important data) and hardware failures
4. Effective encryption to thwart a thief from getting sensitive data off the disk
5. Ease of setup

The project is not focussed on:

• Protecting data from network attacks
• Securing data communication channels for sharing the data

The initial evaluation will focus on utilizing the Encrypted File System that is an option as part of Windows XP Professional and FileVault that is an option as part of Mac OS X 10.4 Tiger (and 10.3 Panther). We have taken a brief look at other possible solutions including commericial products like PGP, but for decided to start with solutions that are already available to the target audience without the need for additional software management.

The project will also pilot the Software and Hardware Evaluation Pilot Process seeing if a Wiki provides a useful way to collect feedback from the community evaluators.

If you are interested in participating in the evaluation, please contact jmhunt@mit.edu.  A solicitation for participation will be sent to the various partners@mit lists by the end of July 2006, but anyone at MIT is welcome to volunteer.

Questions to Explore During the Pilot

• Is the data backed up encrypted or in the clear?  (Dependent on backup solution) 
  • If encrypted in backup, what extra precautions must be taken to ensure recoverability of the data should a disk failure or forgotten password happen?
  • Does the backup solution backup the data as a file (may make incremental system backups really large for FileVault)?
  • What is the impact on incremental backups, particularly on multi-user systems?
• Does the solution protect against a stolen laptop or hard drive?
• What behaviors might a typical user do that would result in the data being on the disk unencrypted?
  • What can be done to mitigate these risks?
• How do the operating system tools compare to 3rd party products like PGP for functionality, key escrow, recovery, etc.?
• What are other schools doing?
  **Harvard appears to be going with PGP whole disk
  **UPenn is at a similar state in evaluating possible solutions
• How should central recovery work when passwords are lost?
  • i.e. who should have the keys to unlock the castle
• What steps can be done with installers or other tools to ease the setup and ensure useful configurations?
  • like requiring non-blank login passwords, passwords to return from sleep, etc.
    *What performance hit does encrypting the files have, if any?
  • Could play large video file from encrypted spot - see how long it took to load and if they was any file read problems, then do the same thing on the same machine from a non-encrypted location.

Feel free to add additional questions in the comments section below and the pilot team will look into them.

Pilot Testers

• Jonathan Hunt - IS&T Client Support Services Software (Project Leader)
• Deb Bowser - IS&T Software Release Team (SWRT Team Leader)
• Alex Koslov - IS&T Software Release Team (Windows Platform Coordinator)
• Al Willis - IS&T Software Release Team (Macintosh Platform Coordinator)
• Patrick Whitney -  IS&T TSM Team (TSM/Backup Expert)
• Dave Kalenderian - IS&T TSM Team (TSM/Backup Expert)
• David Ferrante - MIT Federal Credit Untion
• Rich Garcia - IS&T
• Matt Sullivan - IS&T Departmental IT Resources
• Helen Rose - Resource Development
• Matthias Thorn - IS&T Computing Help Desk
• Scott Jensen - MIT Corporate Relations - Industrial Liaison Program
• Andre Pierre - MIT OpenCourseWare
• Jason Marshall - MIT Sloan Technology Services
• Michael Mappes - MIT Sloan Technology Services
• Alison Knott - MIT Medical, Manager Security and Integration
• Ann Birk - COFHE Director of Information Technology
• Greg Hudson - MIT Sloan Technology Services

Disk Encryption Test Results

The pilot is just beginning, so our results are spare. See the Disk Encryption Test Results page for the latest results.