Migrating FDE Vendors

I was asked recently via email how to pragmatically uninstall GuardianEdge.   I’d been thinking about something similar, that is how do you migrate endpoint security vendors including Full Disk Encryption.

To a certain extent this problem doesn’t affect very many people.   Is Full Disk Encryption installed at many companies outside the Federal Government and Government Contractors?  I imagine its starting to make more inroads via the encryption safe harbor and regulatory requirements.  

I’ve had Full Disk Encryption deployed for over 3 years.   With many security products that is an eternity.   Features change.  Companies get bought and sold.   What if I decide to switch from yellow (Symantec) to red (McAfee).   Does Sophos have a color?  

As far as uninstalling GuardianEdge specifically, I’m pretty sure the manual says you need to decrypt before you uninstall.   Therefore, I would need to deploy a decrypt policy via Group Policy, then after sufficient time has occurred for decryption, uninstall GuardianEdge and replace it with my new favorite Full Disk Encryption.   The problem with this scenario is 1) The computer is left unencrypted for a period of time 2) this period of time is unspecified 3) The end-user will experience the joyful performance hit of decrypting and encrypting the hard drive.    Not Good!

Another possibility is to introduce the new encryption products as computers are replaced.   This has the benefit of not interrupting the user.   The downside is the helpdesk would have to keep track of two different one-time password programs to allow users to access computers with a forgotten password.   Management is twice as hard.   I’d have to maintain two different systems.   With a three-year lease cycle on computers it would be quite a while before all computers are on the new system.

We’re about to do a rip and replace migration to Windows 7.   This would be an ideal time when you’re already doing a system refresh.   You don’t have to worry about the decrypt/uninstall.   You just back up data, drop the Win7 Ghost load, restore data, encrypt.   It is a rare opportunity.

I don’t like these options.   Readers, have any of you migrated Full Disk Encryption products?   Do you see any alternatives I”m missing?   Comments welcomed below.   First time commenters will be held in the moderation queue.   All comments must clear the spam filter.

6 Comments

  1. Looking at self-encrypting drives (SED) is a good idea, especially when performing a refresh. Companies like Dell and HP will ship with encrypted drives instead of conventional ones. It is a minimal cost.
    You mentioned the government which likes to use FIPS validated encryption algorithms. Seagate already sells a FIPS validated drive and Samsung is about to ship a FIPS validated self-encrypted solid-state drive.

    The great thing about SEDs as far as migration is concerned is that an administrator has greater control. You could turn off one vendor’s product without the need to decrypt for hours. The administrator could turn off a drive or group of drives and immediately take ownership of the drive with a competing product. And since it’s hardware there is no possible way that the end user could turn that protection off, even if they are a local administrator or they re-imaged the drive.

    • We’re very interested in self-encrypting drives but they do introduce their own questions.
      Need the same managability and recoverability. You still need management software to manage the recovery of the drive when the user forgets their password. I tried to do a eval with WAVE once but they really weren’t interested in providing evaluation support. Looks like GuardianEdge now provides manability of OPAL standard drives from within the same management point. Then I’m back to vender lockin.

      I’ve seen people raise questions about the performance benefit and reliability of the encryption. (and I’ve seen the counter agruements as well)

  2. Unless the Removable Storage piece operates differently if GE is integrated into your AD, you cannot do an unattended uninstall of GERS. We are using the GE Native Policies, and when attemping to uninstall GERS it requires a client admin username and password. GuardianEdge has been of absolutely no help what-so-ever in regards to doing an unattended removal. We had a ticket open for some time, and basically got “Nope, you can’t do that.”
    We ended up with a new developer, who was handed off this project his first week here. He created a small executable using C#, and the AutomationUI part I believe (I’m no programmer), who managed to get it to enter in credentials. Surprisingly, it even works in the background when the package is pushed via LANDesk.

    As for other parts, yes the drive must be decrypted. It actually will not let you uninstall the hard disk piece if the drive is still encrypted. You also cannot remove the framework until the removable storage piece is removed. And GE has been able to provide no way to automate the GERS removal.

  3. Oh, let me add, we are migrating from GuardianEdge FDE to Credant’s agent-based encryption.
    We don’t like the compatibility issues FDE products have with hardware, due to the fact that they are essentially running a Linux kernel or even worse, DOS-like kernel for the pre-boot authentication.
    And Credant still lets us adhere to HIPAA requirements. The downside is that you cannot create different policies and group machines into policies.

    • When I started encryption anywhere, later GuardianEdge Hard Disk Encryption, I was looking forward to getting to a linux pre-boot since it was supposed to solve the incomatability issues with various keyboards. Instead we got a much worse problem, complete hardware incomabitibility with some models.

      There are some things to look forward to in this area but it is going to be a while.

    • Actually, Credant does allow you to create different policies and apply them to a group of machines. Also, in Credant’s latest version, it even has what’s called Endpoint Groups, where you can create groups based on similar attributes collected from device inventory and allows you to apply policies to it.

      Just FYI.

Comments are closed.