Thoughts on full disk encryption?

[Skeeedunt]

I'm debating whether I want to pony up the extra bucks for Vista Ultimate to get BitLocker. What little sensitive data I have (password files mostly) is already encrypted, usually with KeePass or TrueCrypt.

I realize I'm not a high priority target, and that if my laptop does get lost/stolen it's unlikely to undergo a rigorous offline attack, but I'm curious to hear if anyone has any insight into the matter. The biggest concern seems to be that any random chunk of memory could get paged out to disk and left there for someone else to recover. Is this a legitimate concern, or only for the hyper-paranoid? Any way to mitigate or eliminate the risk?

===

I was bored over the weekend, so I went for it. I haven't seen much written about Bitlocker, so I figured I'd share a few thoughts:

Overall, the process was fairly painless. Having to repartition from the command line before you install is a bit annoying, but went smoothly.

After that it's all pretty straightforward. Install Ultimate to the big partition. Go to the Bitlocker control panel page and and hit the On button (this initialized the TPM and encrypts the drive, which took a few hours). Reboot and there you go.

The amazing thing is that the HD Tune benchmarks I got were pretty much identical to this guy's, with slightly higher CPU usage (~6%). All in all, not bad.

 

[commOdog]

I deploy POINTSEC (now called checkpoint i think) full disk encryption on all our laptops at work. About 600 so far. Use full 256bit AES on them.

We will be switching to Bitlocker when we deploy Vista next year, simply because it is included in our license agreement.

I do know this, you can't get to data without the recovery files if windows borks up, and even then, its a 50/50 chance and a 6-8 hour decryption process

 

[kamper]

According to this, bitlocker will encrypt swap for you, which is good.

 

[Skeeedunt]

Thanks for the responses guys, sorry to take a while getting back.

Originally posted by: commOdog
I do know this, you can't get to data without the recovery files if windows borks up, and even then, its a 50/50 chance and a 6-8 hour decryption process

That's good to know. I've read that physical drive failures could be more catastrophic vs. an unencrypted disk as well. I "plan" to get a good backup strategy going, so hopefully that wouldn't be any more than an inconvenience.

Originally posted by: kamper
According to this, bitlocker will encrypt swap for you, which is good.

That's what I was hoping for. It sounds like FDE is your only option if you're worried about data being paged to disk.

 

[stash]

FYI, if you're using Ultimate, you don't need to set up the partitions with diskpart beforehand. There is a Bitlocker prep tool available as an Ultimate extra that does this for you.