A close shave with TrueCrypt

We have a number of consultants in my company that assist our customers with the implementation of our software products and as the job requires them to be out of the office and onsite with the customer a lot of the time the consultants have all been issued laptops.

Of course for security of data and because of the UK’s data protection legislation all the laptops have full-disk encryption. The solution chosen by one of my predecessors was the open source encryption software TrueCrypt.

I love TrueCrypt and use it at home but have never used it in an enterprise environment, I had used Symantec PGP Whole Disk Encryption in my previous job and found that worked very well. There is a major downside to usinf TrueCrypt and that is that there is no key mangement facility which means that there is a major problem should a user forget their passphrase.

Ordinarily this wouldn’t be an issue as I have found my colleagues to be intelligent and not at all prone to forgetting passwords. I honestly have only needed to reset a domain password in Active Directory twice since I started with the company in January and I’m pretty sure that one of those times was down to a replication issue between domain controllers.

However in this case it was not a failure of memory but a lost Yubikey that prevented my colleague from being able to access his laptop. Not only that but unfortunately he had lost his car and house keys along with it, but only the Yubikey was my problem, though I did sympathize with his plight.

The Yubikey is a great little device that slots into a USB socket and at a touch of a button sends a stream of random characters to the computer and when programmed with a static password it can create a very secure way of logging into a laptop secured by TrueCrypt. So secure in fact that there was literally nothing I could do to assist with gaining access to the laptop. I even emailed my predecessor as a long shot to see if he had by chance copied the static password to a text file that was hidden away on the network somewhere. To no avail.

Then luckily the keys just turned up! They had through a bizarre mix up of bags that I thought only ever happened in comedy movies ended up in someone else’s bag.

A close shave, but it has made me realize that in lieu of a true key management system we need some way of keeping track of staff members’ passwords for TrueCrypt. We do already use Password Safe to manage the myriad of passwords for out IT infrastructure so why not add these others also, probably a good opportunity for me to audit the complexity of people’s passwords too.