Control Break SafeBoot device encryption
By Wayne Rash, Infoworld | InfoWorld | Published: 01:00, 03 October 2005
Control Break's SafeBoot Device Encryption employs whole-disk encryption, also called power-off encryption. It encrypts a machines hard disk and modifies the Windows master boot record so that the machine requests a log-on name and password at startup. The idea is that the data is completely inaccessible if someone turns on the machine without the proper authentication. Thus, its protected when the power is off.
When it's turned on, of course, the material on the hard disk is decrypted, and at the mercy of worms and any other risk that gains access to the machine. PowerOn encryption products such as Credant's Mobile Guardian (reviewed last week) may be a better option.
As well as hard disks, SafeBoot will encrypt the contents of PDAs and smartphones. It supports client platforms including Windows, PocketPC, PalmOS, and Symbian. Linux support is planned for Q4 of this year.
Installing the management software
Before you can start encrypting anything, you must install the SafeBoot Management Center, along with the SafeBoot Administration Database. This latter product is a proprietary data store that keeps configuration and user information needed by the enterprise version of this product.
The setup process leads you through installing the admin server, creating groups to be managed, and finally creating users and machines. When these are created, you use the server to create an install set thats used to place the client software onto each machine.
Robust encryption process
After the client software is installed and synchronised with the server, the encryption process begins. I tested encryption on two machines, an HP D530 desktop PC with an 80 Gbyte disk drive and an IBM Z Pro Xeon workstation with a 72 Gbyte drive. Encryption took about two hours on the HP.
On the IBM, because there was an incompatibility between the SafeBoot encryption software and IBMs LSI SCSI controller drivers, the Z Pro restarted several times during the encryption process. Fortunately, the SafeBoot encryption process is extremely robust, and it was able to recover from these restarts and eventually complete the encryption process. Additional testing on a different system showed that, although SafeBoot operates more slowly on SCSI-based machines, the reset problem seems to be unique to IBMs implementation of LSIs SCSI controller on the Z Pro.
Although the time for encryption is lengthy, the productivity hit is smaller than you might expect. The machine can still be used during the process, although disk-intensive activities may be slowed somewhat. The processor load is minimal, however, so many users are unlikely to notice much of an impact.
An additional product could solve the power-on problem
SafeBoot can be set up so that a screensaver will launch after periods of inactivity. Getting back into the machine requires logging on with a user name and password. A risk remains, however, that someone can gain remote access to the machine - and the information that should be protected - while its in use. SafeBoots Content Encryption product, designed to work with SafeBoot Device Encryption, would solve this problem, but that product was not made available for this review.
Good protection from theft
This product provides good protection for mobile devices where the primary risk is loss or theft. Unauthorised users arent likely to be able to do anything with a device equipped with SafeBoot unless they know the user name and password. Likewise, given a reasonable level of security precautions such as a personal firewall and use of the SafeBoot screensaver, the risk of unauthorised access is reduced. Without a separate product, however, admin staff can still gain unauthorised access to view the material contained in the machine, so some risk remains.
Whole-disk encryption products should never be installed by themselves except perhaps on machines that will rarely, if ever, be attached to your network. In that case, they should also be equipped with their respective content encryption packages, but those add cost and complexity. If you must use a whole-disk encryption package because of your corporate policy or your lawyers, then the better choice is SafeBoot.