Securius Newsletter

June 18, 2002
Volume 3, Number 2

The Joys of Full Disk Encryption

By Seth Ross

Here at PC Guardian headquarters, we've had our heads down, fingers tapping away on keyboards. We've been pounding out the code and testing the heck out of it. Our latest and most important project is a hard disk encryption solution, Encryption Plus® Hard Disk (EP Hard Disk) 7.0.

EP Hard Disk 7.0 is the apex of a line of disk encryption products from PC Guardian. Our record of accomplishment in this market niche goes back to 1994. Version 7.0 is a substantial re-engineering and re-write of our current shipping product. Like its predecessors, it encrypts all the sectors on the end user's hard disk and then delivers transparent on-the-fly decryption of those sectors as they are needed by either the system or the user. Once the program is installed and a password is provided to the pre-DOS logon prompt, the user will not notice that the program is working behind the scenes, decrypting on demand and re-encrypting.

There are numerous benefits to the full-disk approach, as opposed to mere file encryption. Manual file-by-file encryption is laborious and error prone. It's all too easy for a user to leave sensitive information unprotected. Even if the user is exceptionally careful, Windows application data gets stored in numerous locations, including temporary directories and swap files. Full-disk encryption addresses the sloppiness of both users and applications: all data is encrypted, regardless of user work habits and application file storage routines.

For an excellent overview of the challenges faced in designing cryptosystems that are transparent to the user and applications, see Matt Blaze's groundbreaking 1993 paper on his Cryptographic File System[1]:

Like all PC Guardian software products, EP Hard Disk 7.0 is designed for deployment in large organizations. An administrative program provides IT personnel and/or security administrators with fine-grain control of how user disks are encrypted. Administrators can configure the user program to enforce corporate password policy, including password length and expiration, and set both start-up and logon messages. During the initial disk encryption, the program encrypts in the background and thus can be set to run "slow" (leaving resources for the user) or "fast" (optimized for encryption). Similarly, the disk encryption process is designed to recover from catastrophes like power loss, though this can be turned off in order to further speed the initial disk encryption.

Like PC Guardian's other enterprise software products, the program offers multiple recovery mechanisms. These are useful when the user forgets a password or when the user is "hit by a bus" (i.e., the company needs the data and the user is not around). The Authenti-Check(R) mechanism challenges the user to remember his or her answer to one or more personal questions. The One-Time Password recovery mechanism is built around an easy-to-use (but hard to code) challenge-response system that allows the administrator to reset a user's password during a phone call.

EP Hard Disk 7.0 uses the Rijndael cipher for data encryption and decryption, using a 256-bit key length. Rijndael is the new US Advanced Encryption Standard (AES) designed to replace DES. It was selected during an exhaustive multi-year process that involved extensive reviews by cryptographers worldwide. We are confident that Rijndael provides good security. It's also fast -- an important attribute for a cipher used for on-the-fly cryptographic operations.[2]

EP Hard Disk 7.0 is currently in beta release and is being tested by a select group of PC Guardian customers. If you are involved with computer security for large organizations, I invite you to contact us and start an evaluation of this hard disk encryption solution. Please note that this product is NOT designed for consumers or standalone PCs -- we are only able to honor requests from qualified evaluators in large organizations. This beta, like all betas, should not be run on production machines. Only Windows XP, 2000, and NT are supported at this time.

For more information about EP Hard Disk, see our product page on the web:

In order to request an evaluation copy of EP Hard Disk 7.0 Beta, please contact us via the form at


As long-time readers know, this newsletter has knocked Microsoft for the many security problems that affect its operating systems.[3] On the up side, Microsoft has released a nifty security tool that scans Windows-based computers for common security snafus: the Microsoft Baseline Security Analyzer (MBSA).

MBSA runs on Windows 2000/XP-based computers and scans for missing "hot fixes" and security vulnerabilities on Windows NT/2000/XP-based computers. MBSA generates reports for security issues in Microsoft's operating systems, Internet Information Services (IIS), SQL Server, and Internet Explorer.

If you run Windows 2000 or XP, you owe it to yourself to try this tool. It has a clean and simple graphical user interface (GUI). The program's GUI and data parsing routines are built around XML, an architecture that's likely to appear in other security programs. Not only does MSBA cite problems, but it also provides links to further information about system security. Thus, running this program is an easy and practical way to learn more about Windows 2000/XP security. If you administer a network of Windows machines, you can save a lot of shoe leather by using MBSA to remotely check many machines at once.

Subscribe to the Securius Newsletter
Please enter your email address: is a service of GuardianEdge Technologies.
Copyright © 2006 GuardianEdge. All rights reserved.
We will not share your personal information with third parties.
Nor will we contact you without your permission.