What are the best laptop data encryption options?

When it comes to protecting laptops and hard drives, there are plenty of choices. In this expert Q&A, Michael Cobb lays out some data protection options. And they're not just software-based, either.

The company I work for is about to encrypt the hard drives of all corporate laptops. However, we are still looking for a good product for international travelers, as some countries do not allow encrypted laptops. Decryption takes hours and would not really be accepted by users. Can you recommend another way to protect laptops and hard drives?
When it comes to tackling laptop data encryption, there is a growing number of options. The products are not just software-based either. Seagate has launched a hardware-based encrypted laptop hard drive, and so has Hitachi. Both use AES encryption, which is a government-grade security protocol. These drives match traditional drives for speed and come with software to enable managed enterprise deployments.

If your company is contemplating a migration to the new Windows Vista operating system, you might want to consider the Business, Ultimate or Enterprise editions. Each includes a new hard drive feature called BitLocker Drive Encryption. By default, the technology requires a Trusted Platform Module (TPM) chip usually found only in higher-end systems. However, you can set group policy so that a USB storage device can store the encryption keys. This setting prevents the computer from booting up until the USB device is plugged in. Great two-factor authentication!

WinMagic's disk encryption software, SecureDoc, offers another way to add pre-boot authentication. If you are having problems with the time it takes to decrypt data, I would consider creating a volume that automatically encrypts all files stored on it; then I would move the My Documents folder to reside there. As long as software programs are not stored on this encrypted drive, there should only be a negligible impact on performance.

If you wish to use encryption abroad, you will have to ensure that the product you choose can be used in the countries that your staff may need to visit. The Bureau of Industry and Security assigns a license exception to most commercial encryption products, allowing them to be exported to only specified destinations. PGP, for example, falls within three types of license exception: mass market, ENC restricted and ENC unrestricted. None of these categories, however, allow encryption products to be exported to the following embargoed countries: Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria.

Other steps you can take to protect on-the-road laptops include locking down the operating system and providing users with a physical lock. Better still, insist that users remove hard drives and lock them in a safe whenever they leave their laptops unattended. Some organizations now provide spare drives that have to be installed when working in a hostile environment; anywhere outside the confines of the office. These drives only contain company data that is classified as public. Any other data has to be stored on encrypted USB keys carried separately from the laptop. Proximity alarms can also be attached to a laptop, which will go off if the computer gets too far away from its owner. Finally, I would ensure that all of the laptop-using staff receive security awareness training. The training should be aimed at the particular threats that laptop users face, such as unsecured public Wi-Fi and opportunist thieves.

More information:

  • Learn encryption strategies for preventing laptop data leaks.
  • Expert Joel Dubin has advice on the best laptop authentication tools.
  • This was last published in September 2007

    Dig Deeper on Disk and file encryption tools