Product Group Tests
Whole disk encryption (2007)
Priced at the low end of the products that we tested, PGP Whole Disk Encryption was the best tool for an enterprise environment. We rate it our Best Buy for its strong enterprise capability, ease of use, value and superior performance.
While SecurStar DriveCrypt is in the middle of the pack for the cost of whole disk encryption software, the added features make it an attractive piece of software. We give it a Recommended award for its ease of use and performance.
Full Group Summary
Whole disk encryption software for single users and enterprises is maturing. With a wide range of features and prices, there's something for everyone. And it's not just about speed. By Justin Peltier.
This month we looked at seven whole disk encryption products. The solutions in this category covered a wide range of prices and features and this is typical of the rapidly evolving market. All the tools we assessed consisted of standalone software packages separate from the underlying operating system (OS).
One of the tools tested was an open-source product that has developed a large following in the industry, while all other packages were commercial products. Several of the offerings were bundled with hardware tokens for authentication. The devices were all USB, while several vendors offered other options such as SCSI (small computer system interface) and PC Memory Card International Association token devices. None of these products were combined with other desktop security packages, such as personal firewall or anti-virus software.
As a group, these tools performed well and many offered unique features. We evaluated them as both a single-user install and as enterprise products. Most of the test subjects supported dual modes of both individual and enterprise, but a few were single-user only. One of the major differences between single-user and enterprise installations was the inclusion of audit logs. While all the solutions that supported an enterprise mode also offered an audit logging feature, most of the standalone units did not include an audit log feature.
All the products in this category were expected to meet certain criteria, including the ability to encrypt the entire boot hard disk where the operating system would reside. One product, the open-source TrueCrypt, did not meet this requirement, but was included because it met the remaining criteria. In addition, all test subjects besides TrueCrypt provided pre-boot authentication.
Many products combined the pre-boot authentication with a single sign-on functionality (SSO) that also allowed the user to access the underlying operating system.
With the exception of TrueCrypt, all had a feature to protect the data on a hard drive in the event of the drive being removed from the machine. Finally, all products also included a measure that would prevent data from being lost if the system suffered a power failure.
How we tested
All products were put through their paces using an Emachines m6811 notebook computer with an AMD Athlon 64 3400+ CPU, with 1.2 GB of RAM. All tests were performed on a 60-GB hard drive that was wiped between tests. Once the drive was cleared, a core operating system of Windows XP Media Center Edition was installed from a Symantec Ghost version 8.0 image. The operating system was patched to current levels as of November 17.
Once the base OS was installed, the only other software package that was added was Performance Test version 6 software from PassMark. This was installed to create system performance baselines that could be compared with system performance after the software was installed and running on the system. Each package was evaluated using ten criteria:
1. Does the product require user authentication before the OS starts or at login - or both?
2. Does it support hard-drive encryption in the event of screensaver, suspend and hibernations modes?
3. Does the product support a user password with a recovery function?
4. Does the product support an administrator password that is separate from the user's?
5. Does the product use a master password?
6. Does installation create negative performance overall?
7. Does the product protect other OS file systems that are installed on the same disk?
8. Does it allow for another OS bootloader?
9. Does the product create audit logs?
10. Can information about the security configuration be uncovered by booting the system to a Knoppix Live CD distribution?
In addition, each product was timed to determine how long the hard drive encryption would take.
In general, we found that performance hits due to encryption averaged one per cent or less. Ease of use was quite variable, with some products simple to implement and others quite difficult. Overall, security issues, such as the safe removal of encryption without losing data, have been addressed in most products since the last time we looked at this category.