Comments on: Hardware-based encryption will win in the laptop market

Large organizations are no longer willing to gamble with lost or stolen laptops; soon laptops will come with encrypting hard drives as standard.

[skswave]

Hardware full disk encryption is easier to prove

Another key benefit for hardware full disk encryption is that it is easier to prove it was in place if a machine is lost. Due to the fact that the control of the encryption is in the drive and that the drive can be managed by a central server, it is possible to have a complete transaction log for a specific drive from the day it is enabled to the day the drive encryption key is deleted. Software full disk encyrption is running within windows and is open to a greater array of weaknesses. When a server manages the secure drive, local administration can be disabled ensuring that the current state of the drive is always known by the server. This is critically important because proving a lost machine was encrypted is how a corporation can avoid the embarassement of telling the world they lost everyone's data.

So the key is to make sure that every new laptop is purchased with a Seagate FDE drive.

Steven Sprague
CEO
Wave Systems Corp.
providing the tools to manage TPMs and Trusted Drives

[Rock_Pool]

Maybe how the encryption's performed is not the key point?

While it's true that for you and I as individuals unmanaged hardware encrypted drives may be a simpler and free solution, is that really the case for the average enterprise managing thousands, or tens of thousands of devices possibly in many countries?

At the moment (though this may change over time) encrypted disks are unmanaged (unless you buy additional software from people such as Wave), and authentication to them is little more than a BIOS password.

Most software products which do the same thing can work in dozens of languages and support hundreds, or in one case tens of thousands of users with complex passwords and even token based logons all at the same time, and will synchronize these credentials across tens, hundreds or thousands of PC's..

It may take some time until the drives you buy from vendors such as Seagate can handle this kind of sophistication out of the box, but then again, do you and I really need that?

For the enterprise market, expect to see very valuable encryption management software start taking responsibility for these great (but management limited) hardware systems, but I don't think you'll see Seagate providing enterprise class encryption management for their drives free any time soon - that would be way outside their core business.

What's more interesting than the encrypted drive discussion, is the Intel Danbury proposal that will move encryption of storage into the chipset - why be constrained by one drive manufacturer when you can buy a motherboard which will transparently encrypt any drive regardless of maker or capabilities? Will there be a role for Seagate if Intel (and probably AMD in the future) provide chipset storage encryption? Maybe it's the purchase of encrypted disks which we should be skeptical about, not the enterprise management of encryption and authentication.

[tigereye7]

Well done article. Hardware-based encryption also opens the doors for more effective multi-factor authentication methods. Some manufacturers are even putting the encryption into an external hardware device (like these guys). With more and more regulations requiring multi-factor authentication in addition to encryption, I think we'll see more and more of this.

[tigereye7]

(http://www.goldkey.name)