Editorials

Encryption Comments & Feedback

by Ben Taylor

SSWUGtv – New Show!
With Stephen Wynkoop
In this edition… Privacy policies and data warehouses, Oracle and their 70x performance increase, Career tips from Laura Rose. Also, our guest segment is all about security… and so much more.
Watch the Show

Last Day to Register: T-SQL Querying Fundamentals with Itzik Ben-Gan
Online course starts tomorrow – full 30 days of access, all the great instruction you need from a T-SQL master. This is one class not to miss. Hope to see you there! Get more information here:
[More Class Information]

$$SWYNK$$

Encryption Comments
I received a lot of feedback, all of it good, regarding encrypting data. Most of the comments were directed towards laptops and desktop solutions.

There were a few kinds of encryption our readers found helpful.

  1. Encryption of the laptop – Requires user to provide password prior to boot of the computer. TruCrypt supports this model.
  2. enctyption of the entire drive. This encryption allows the computer to boot prior to providing the password. This is often used with removable media.
  3. Encrypting Folders. This is used to encrypt portions of a disk. It is also used for removable media as well.
  4. Hardware Based Disk Encryption – Rather than encrypting data through software before writing to disk, others found hardware implementations to be valuable because it is implemented when the hardware is installed. I have no performance statistics. However, I would assume some performance benefit because your CPU is not doing the encryption work.

Here are a few of the comments from our readers:

Elchanan:
I appreciate this article. You say that your company has been working with disk encryption that preempts even boot-up. I’m interested in learning what is available in this regard, but I don’t see that information in your article. If you are permitted to do so, would you be willing to point me toward whatever solution(s) you have in mind here?

Andrew:
I am a production support as well and development SQL Server DBA. On my last job we not only had drive lock (password protected pre-boot) but also mandated disk encryption. The disk encryption was a big pain for us because it really dogged the system. Of course we had (old) laptops (Thinkpads w/40 GB drives) because we were on on-call rotation and had to support the infrastructure. This was mandated because DBA’s often have sensative data on their laptops. In my current job we use the drive lock, but no data encryption. I like this much better. Added security without overburdening the machine.

Mark:
Being rather paranoid about data security, I am a huge proponent of drive encryption. However, one alternative I use instead of encrypting certain drives themselves, where much of the information isn’t even sensitive, is to use virtual disk images that are individually encrypted. I use this method to manage a common data encryption between multiple devices (internal/external disks, flash memory, NAS) and more importantly individual data encryption amongst multiple clients. I can freely mount and unmount volumes as needed and can manage a different passphrase for each volume if necessary.


It is also handy for using the same USB key amongst multiple clients each with their own passphrase for their own data where one client cannot access another client’s data still present on the key. And as a bonus I can set compression on individual drives if performance isn’t an issue…Much more useful than dealing with zip files or the like.


Sure one must be careful not place sensitive information outside the encrypted volumes, but other than that, it makes for a highly transportable and versatile encryption mechanism.

Lalani:
This was implemented at my company in Q4 2011 and 1000+ employees laptops were installed with hard drive encryption software. I feel more safe and over the time you don’t even remember that you have it on your laptop. I have not seen any adverse affect on performance due to this software on my laptop. I think this is the future for all companies who want to clear the audit process and protect them from liabilities because of lost or stolen data. Compared to the benefits that this software provide, the cost and resource to implement is low overhead.

Eric:
We encrypt all of our Windows laptops using TrueCrypt, and our Mac laptops are encrypted with FileVault (built into OS X Lion).

We’ve had several laptops lost or stolen over the past few years, and while the financial loss is undesirable, the knowledge that the information on the laptops is inaccessible is truly liberating. We can just deal with it as a smallish financial loss and move on with no other worries.

I make it a point to recommend encryption to anyone who I talk to who happens to be traveling with a laptop!

Ramani:
Do you a recommend any specific commercial or open source software – to enable us to evaluate and procure?
Editor: I really don’t have any recommendations for a specific version of encryption you should consider. I have not made a detailed comparison of products, especially commercial ones.

Editor:

I have found that TrueCrypt works perfectly for my needs. Therefore, I have not looked further. Since you asked specifically about commercial products, that is a different discussion altogether. Many companies have a philosophy restricting them from open systems software. Other companies only look to Commercial Software when Open Systems do not provide necessary functionality or the project becomes stale.

I redirect you again to the work indexing different products on WikiPedia.

Rob:
My only issue/concern with full disc encryption is how to handle backups. I do disc level backup with Norton Ghost.

Editor:

Since Norton Ghost (as I understand it and used it in the past) simply makes a copy of the binary image on the disk, encryption should make little difference when backed up or restored when executing it against an entire disk. It simply restores to the same condition as it existed when backed up, including fragmentation and encryption. I definitely can be wrog on this assumption. Don’t take this comment as authoritative.

If you have experiences or comments you’d like to share then drop a note to btaylor@sswug.org.

Cheers,

Ben


Featured Article(s)
The Real Story Behind Geo-clusters
If you are a web retailer or a financial institution, this kind of availability is critical to your business.

Featured White Paper(s)
Top 10 Tips for Optimizing SQL Server Performance
read more)

Tags:
Author: Ben TaylorBen is a Relational Database veteran starting in the early eighties on DEC Vax database systems such as Bloom and Harvest. He has specialized in SQL engines for more than two decades, with a primary focus on Microsoft SQL Server. Ben has worked with small and large databases for both OLAP and OLTP working on systems for many industries such as Medical (Medical Claims and Eligibility Warehouse, HMO Provider Management, Enrollment), Financial (credit card processing, mortgage, stock portfolio management), Manufacturing (Assembly Line and Product Assemblies), Sales, Auto Auctions and more.