I will soon be purchasing a number of laptops running Windows 7 for our mobile staff. Due to the nature of our business I will need drive encryption. Windows BitLocker seems the obvious choice, but it looks like I need to purchase either Windows 7 Enterprise or Ultimate editions to get it. Can anyone offer suggestions on the best course of action:
a) Use BitLocker, bite the bullet and pay to upgrade to Enterprise/Ultimate
b) Pay for another 3rd party drive encryption product that is cheaper (suggestions appreciated)
c) Use a free drive encryption product such as TrueCrypt
Ideally I am also interested in 'real world' experience from people who are using drive encryption software and any pitfalls to look out for.
Many thanks in advance...
UPDATE
Decided to go with TrueCrypt for the following reasons:
a) The product has a good track record
b) I am not managing a large quantity of laptops so integration with Active Directory, Management consoles etc is not a huge benefit
c) Although eks did make a good point about Evil Maid (EM) attacks, our data is not that desirable to consider it a major factor
d) The cost (free) is a big plus but not the primary motivator
The next problem I face is imaging (Acronis/Ghost/..) encrypted drives will not work unless I perform sector-by-sector imaging. That means an 80Gb encrypted partition creates an 80Gb image file :(
Truecrypt : http://www.truecrypt.org/
will encrypt mobile, internal drives completely, you can even encrypt the whole system partition on the fly and then set a boot loader password - gives you more security on laptops.
and its opensource - free.
http://4sysops.com/archives/system-drive-encryption-truecrypt-5-vs-bitlocker/
Bitlocker is good too, but due to budget i would suggest use truecrypt.
With Evil Maid (EM) attack tools now available for TrueCrypt, I'd go for BitLocker if I had the budget, because EM-like attacks are quite more complicated, and it integrates better with AD etc as Oskar Duveborn stated.
I suggest you read the articles of Joanna Rutkowska on both products :
http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html
http://theinvisiblethings.blogspot.com/2009/01/why-do-i-miss-microsoft-bitlocker.html
But if you're sure that your coworkers will always take good care of their laptops - with safety case and all, you can go for TrueCrypt.
Side notes
remember that full-disk encryption won't protect your data from inside [the OS], e.g. if your computer gets corrupted by a virus while running.
remember that technical solutions is just a part of the security chain (see http://xkcd.com/538/ for details).
Edit (01-20-2010)
Additionnal details about BitLocker and EM attacks :
Note than BitLocker will be more resilient than TrueCrypt only if used on a TPM-enabled computer.
There are ways of defeating BitLocker+TPM (article, paper) but no public tools available AFAIK. So while BitLocker is more resilient to opportunistic EM attacks (it takes more to re-develop a spoofed user interaction screen for BitLocker than just copy the EM tool for trucrypt on a USB key), it's not 100% bulletproof (no solution is).
While TrueCrypt is appropriate for a small office / home office scenario, there are many reasons to go for a paid solution in a larger business:
I'm currently reviewing a couple 3rd party solutions, McAfee Total Protection for Data (formerly known as SafeBoot), and Symantec Endpoint Encyrption.
One reason I did not look into BitLocker is that I have several machines already on Vista Business and I did not want to upgrade / re-provision them.
I also looked into the PGP solution but it requires a dedicated server or certified virtual server solution to manage the software and this was too much complexity for my scenario.
Word of advice. I've just found out that TrueCrypt license contains a legal "trap" that allows them to sue any user of the software, even the user is following 100% of license terms.
http://lists.freedesktop.org/archives/distributions/2008-October/000276.html
They were informed about it a long time ago by Fedora and did not fixed it in the current version, so it seems to me it is in fact a deliberate trap.
No issues with truecrypt whatosever ; as long as you follow the steps on there websites for different levels of encryption.
As far as bitlocker, as Oskar has already mentioned that it will be easier to manage - but if due to cost you can't go upto bitlocker you can always use truecrypt - very good.
PGP encryption has a good encryption product for me. You can try it. It provides multi encryption solutions and support all versions of windows 7.
To answer the second part of your question Microsoft have variously claimed a CPU overhead of 5-6% for Workstation\Notebooks and 10-15% for servers with Bitlocker. Performance impact on the HDD depends on how powerful your CPU is, for most current gen notebook/desktop CPU's and drive systems the impact is not noticeable. I've run similar systems with and without Bitlocker and this has definitely been my experience.
However this is dependent on the platform - Alexander Weiß at 4 Sysops did some performance comparisons and found a 29% to 50% reduction in sequential hdd transfer rate for an Atom powered netbook, this is entirely due to the weaknesses of the low power netbook CPU. Similar reductions are likely if you have an insanely fast SSD - the higher data rates will put a much more severe load on the CPU.
Just run Backup from the running machine so You will have an unencrypted image. Acronis should be able to do it if I'm not wrong. If You still need security for the image too, You can put it in the safe or on an encrypted server disk. I would go with unencrypted backups for the data because I like failsafe backups.
If quick restore of the system is needed, You will probably not get around imaging the encrypted drive.
Whole-disk encryption is probably not what you want. If you sign in to your computer, whole-disk encryption simply decrypts everything... at that time. Meaning any malware has access to everything the moment you sign in.
A more granular, reactive file-level encryption might be helpful.
Disclosure: I work for a file-level encryption company, not going to recommend a particular solution, but I do advise looking into alternatives to whole-disk.