Pgp Whole Disk Encryption

[3w`Sparky]

OK So the PGP Disk encryption is not breakable "currently" , but when you "REBUILD" you system then install pgp desktop which you can then turn your hdd into encrypted, what about all the leftover space that hasn't been written to yet

eg 80 gig hdd

4 gig xp install

1 gig office install

3 - 4 gig of other apps

what about the remaining space, does pgp write across the whole disk ?

eg can a disk that has been used already be securely erased if you just run a bare install then install pgp ontop of it ?

[Sparda]

What you say is potentially correct (providing it's done at the file system level), any data that is on the drive and is not part of the file system (deleted files, left over files after formatting etc.) will not be encrypted, there is a simple solution however, blank the drive before installing the operating system.

[3w`Sparky]

which leads to the next question, what's best ?

I have to conform to CESG Governance ideally but wondered what might be best but also fast , although the two work against each other !

[Sparda]

which leads to the next question, what's best ?

I have to conform to CESG Governance ideally but wondered what might be best but also fast , although the two work against each other !

Well, you need to find out how pgp full disk encryption works. I had a look on there web site and a bit of a Google but couldn't find what I was looking for.

If it works like truecrypt and inserts it's self between the operating system and hard disk to do sector level encryption, you don't need to do any thing as every sector of the disk is encrypted. This might be called 'sector level encryption' or similar.

However, if it encrypts every file individually by inserting it's self between the operating systems file access stuff and the rest of the operating system for the purpose of using a different key for every file (or some other similarly useful feature) then you need to blank the drive before installing the operating system. This method might be called 'file system level encryption' or similar.

A tool that finds 'not-used' sectors then blanks them is theoretically is possible, but I have never found one.

[IOSys]

Uhm.. Guess why it's called "whole disk encryption" ??

You can either encrypt individual partitions or you can encrypt the entire device .

In either case, ALL space of the volume is encrypted .

(yes, pgp can also create file-hosted volumes but you can't stuff your OS inside a file and still be able to boot)

When you encrypt a storage-volume it is filled entirely with randomly-looking garbage,

ie overwritten once .

Despite what NIST, The US Military etc etc could make you believe,

there are no documented examples of ANY data being recovered from a HDD that has been fully overwritten once .

Ever ..

Despite this fact, you may be required to sanitize the disk in accordance with Federal guidelines anyway,

and depending on the nature of your operation and the data you store, you may even be required to have proof

that the disk was sanitized ..

Edited July 10, 2010 by IOSys

[Guest Deleted_Account]

I use TrueCrypt so I just wipe free space after. Depending on what was on the disk before hand i would us DBAN and at least NSA 7-pass wipe. Mainly because in the event some one could/ found away to recover from a single wipe they still wouldn't get my data :)