NASA To Encrypt All of Its Laptops

pev writes "After losing another laptop containing personal information, NASA wants to have all of its laptops encrypted within a month's time with an intermediate ban on laptops containing sensitive information leaving its facilities. Between April 2009 and April 2011 it lost or had stolen 48 'mobile computing devices.' I wonder how long it will be before other large organizations start following suit as a sensible precaution?"

They waited this long because?

[Liquidretro]

They waited this long because? First?

A bit of a misconception.

[sunking2]

NASA is a huge bureaucracy that is behind the curve in this aspect. The sad part is that they apparently have more laptops to lose with HR type information on them than they do ITAR. Which pretty much sums up NASA right now.

[shrug]

[Thumper_SVX]

You know, we've been doing this for four years where I work. And yes, I know everyone here is going to espouse Truecrypt as the one true solution, but the simple fact is NASA is run as a corporation... as such they'll probably go for a solution that's vendor supported. The fact that they're NASA will probably mean they'll get a pretty decent price on the software too.

Now, the downside of full-disk encryption (which many lazy corporations do instead of home directory only) is that it does increase the load on your system, slow it down and make recovery if/when it breaks a royal pain. Our helpdesk has an almost constant stream of laptops coming and going through their hands that they have to decrypt and re-encrypt because something got out of sync. Time consuming, and leads to downtime for the users. I've often suggested home folder only encryption... but the higher ups want it all encrypted... right up to the point that their laptop is down for two days because they've broken it.

By the way, another horrible side effect of whole disk encryption is that our experience says that it'll kill SSD's pretty rapidly. Our average SSD life is less than a year at this point because there doesn't seem to be a good full-disk encryption software that properly implements TRIM... so spinning disk or hybrid disk is the way to go.

This is amazing: Why didn't they do it 10+ years a

[Terje Mathisen]

I was in charge of testing/verification of full disk crypto when my then-employer (Hydro) mandated it almost 20 years ago:

At that time 5 vendors made it through our pre-qualification tests, among these I was able to trivially break 3 of them (replace a conditional branch with its opposite), one took 20 minutes and only Utmaco's SafeGuard Easy had done a proper security design, where the user password was used as (part of) the seed for the key used to decrypt a copy of the master disk key.

I.e. the system _must_ be safe against attack from anyone, including the vendor!

I wrote a longer post about this the previous time the same issue came up on /.

Terje

Re:They waited this long because?

[Rootbear]

This is not a new policy. The implementation of full disk encryption has been underway for some time. We are doing laptops first, then desktops. The current fire drill is because a laptop with PII was stolen at NASA HQ and it was one that had not yet had full disk encryption installed.

NASA IT staff are as overworked and under appreciated as anywhere. If NASA had wanted full disk encryption done sooner, they could have added the resources to make it happen. And that would have taken resources from missions, like Curiosity and the James Webb telescope. It's all about priorities.

Re:[shrug]

[sribe]

I've often suggested home folder only encryption... but the higher ups want it all encrypted...

And they're absolutely correct. A laptop gets stolen that contains information which you are legally obligated to keep confidential, and you are threatened with a lawsuit over the breach of confidentiality, do you prefer:

A) being able to say "the entire disk was encrypted"

B) having to argue that having the user's home folder encrypted was sufficient, and potentially having to prove that no confidential data was stored outside the home folder, but having to prove that without the actual disk in your possession as evidence

Re:They waited this long because?

[oneandoneis2]

Because the typical end user is stupid and forgets their password.

On a normal laptop, this means a bit of inconvenience.

On an encrypted laptop, this means a loss of all data.

You have to have solutions for this problem in place before you can roll it out.

Re:NASA Transparency drirective

[SecurityGuy]

NASA has employees. Those employees have things like SSNs and disabilities and other such things that go in personnel files. It's one thing to say that all NASA's mission data should be completely open, and quite another to say that means everyone who works there should expect the public to be pawing through their data when that data would be afforded protection at any other employer.