Redmond Roundup

Encrypt Your Drives and Protect Your Data

Microsoft, Check Point and McAfee provide three whole-disk encryption options; we examine each and choose the best of the bunch.

Data is increasingly mobile. More and more, laptops outnumber deskbound PCs. With laptops, people can work from home, often dramatically extending their day. But that mobility comes with a price. Laptops and portable hard drives -- which often hold customer information, confidential business documents or other classified data -- are easily lost or stolen.

While many tools can help, we'll zoom in on three products that encrypt data and protect it from unauthorized access: Microsoft BitLocker, Check Point Full Disk Encryption and McAfee Endpoint Encryption.

Windows BitLocker is a drive-encryption feature built into Windows Vista Enterprise, Vista Ultimate, Windows Server 2008 and the still-to-come Windows 7 Enterprise and Windows 7 Ultimate. BitLocker data encryption protects data from theft or compromise and provides secure data deletion options on BitLocker-encrypted volumes.

BitLocker can rely on a trusted platform module (TPM) chip for integrity checking and authentication of hardware components before allowing a BitLocker-encrypted system to boot up or decrypt the data. The TPM also serves as a secure storage location for BitLocker encryption keys.

In the past, the original BitLocker only encrypted the operating system volume. With Windows Server 2008 and Vista with Service Pack 1 (SP1), you can encrypt additional fixed volumes as long as you first apply BitLocker encryption to the OS volume. In the upcoming Windows 7, Microsoft added the ability to encrypt data on removable drives and USB storage devices. For this review, we only deal with the OSes that are currently available.

BitLocker excelled in installation and administration because it's a built-in function of Windows and is managed by Active Directory and Group Policy. However, I found laptops with TPM chips and TPM-compatible BIOS aren't as common as I thought. I had to modify the BitLocker configuration in Group Policy to allow users to store BitLocker keys on a USB flash drive in order to encrypt the data. It works, but it's not as secure as doing it with the TPM, and the log on process is cumbersome with the addition of the USB flash drive.

The plus points for Windows BitLocker for data encryption are:

  • No additional cost; it's a built-in feature of the Vista, Windows Server 2008 and, soon, the Windows 7 OSes
  • Can be managed and configured via Group Policy
  • Recovery keys can be automatically stored in AD

Check Point Full Disk Encryption
Check Point acquired Pointsec and developed the Pointsec disk-encryption product into Check Point Full Disk Encryption (FDE). I have a fair amount of hands-on experience with the core features of the Check Point FDE solution.

Check Point FDE does have centralized management, but the centralized management is through a proprietary interface. For networks built on Windows that rely on AD and Group Policy for centralized administration, this means becoming familiar with and maintaining a separate environment for disk encryption.

Check Point FDE brings a number of notable functions to the table that could make it worthwhile for some organizations. For example, single sign-on capability reduces the number of usernames and passwords users need to remember. For an even more seamless user experience, Check Point FDE has Windows Integrated Login. This integrates Check Point FDE with the default Windows log-in so the user doesn't have to learn anything new to log in.

There are two areas where Check Point FDE shines. First, it's the only product of the three I reviewed that provides disk encryption for platforms outside of Microsoft Windows. In addition to protecting legacy Windows systems not covered by BitLocker, Check Point FDE encrypts data on Linux and Mac OS X systems.

Check Point FDE excels in its support of already-encrypted systems. Administrators can always access company data without users sharing or compromising their credentials.

Bottom line, Check Point FDE is very flexible in unlocking and recovering data. Here are some stand-out Check Point FDE features:

  • Encrypts Linux and Mac OS X systems in addition to Windows
  • Web-based help-desk support tool
  • Self-help tools let users reset or unlock systems on their own
  • Ability to establish and maintain security policies
  • One-time log-on and service accounts for support scenarios

McAfee Endpoint Encryption
One of the first things that separate McAfee from the other products reviewed here: McAfee has comprehensive data-encryption options that are available as separate components. While this review is focused only on McAfee Endpoint Encryption for PC, McAfee also has optional protection for files and folders, virtual disks, mobile devices, removable media and USB drives.

McAfee Endpoint Encryption protects data on a broader range of Windows OSes than BitLocker. Like Check Point FDE, McAfee's product also protects Windows 2000, Windows XP and Windows Server 2003 systems.

Depending on the organization, one critical piece of McAfee's solution can be seen as either a disadvantage or advantage. McAfee Endpoint Encryption provides exceptional, centralized administration capabilities, but it does so through McAfee ePolicy Orchestrator (ePO). Organizations that already use McAfee ePO for other network and endpoint security work may see this as a significant advantage. Companies that rely on Symantec or other vendors for their broader computer-security concerns, on the other hand, may not like running ePO alongside those products.

McAfee can develop and enforce security policies through ePO as well. The monitoring and reporting features of McAfee ePO let administrators easily keep tabs on the encryption status of devices and maintain demonstrable proof of compliance. With McAfee Endpoint Encryption, I can allow or deny access to encrypted data for individual users or groups of users. I appreciate the ability to encrypt or decrypt data on endpoints without impacting the user's productivity.

Here are some key features of McAfee Endpoint Encryption:

  • Ability to select from industry-leading encryption algorithms including AES-256 and RC5-1024
  • Centralized administration provided through McAfee ePO
  • Tight integration with other McAfee security products
  • Optional components extend encryption to mobile devices, virtual disks, files and folders, removable media and USB storage devices
Bitlocker Full Disk Encryption Endpoint Encryption
Installation 20%
Features 20%
Ease of use 20%
Administration 20%
Documentation 20%
Overall Rating:

Key: 1: Virtually inoperable or nonexistent  5: Average, performs adequately   10: Exceptional

And the Winner Is ...
All three products provide adequate protection for sensitive and confidential data on laptops. McAfee and Check Point have optional components to expand the encryption functionality, but this discussion is focused on the core disk-encryption component.

Check Point Media Encryption provides data protection on USB and removable media. McAfee Endpoint Encryption includes an entire suite of tools to protect data on mobile devices, removable media, virtual disks and more. Microsoft is extending BitLocker capabilities with BitLocker-to-Go, which will enable BitLocker to encrypt USB and removable media in Windows 7.

For organizations that use Windows, BitLocker makes a compelling case. Check Point and McAfee have their benefits, but it's difficult to wrap one's head around investing money in a third-party product that does essentially the same thing as a built-in Windows feature.

Remember that BitLocker encryption is only for Vista, Windows Server 2008 and the upcoming Windows 7. If you have older Windows systems, BitLocker won't do the trick. Both McAfee and Check Point provide data encryption for XP, Windows 2000, Windows Server 2003 and Vista, but so far they don't protect Windows Server 2008 systems.

If you need a disk-encryption solution that works in heterogeneous infrastructures, you'll have to see if the Check Point solution is right for you.


Built into Windows Vista and Windows Server 2008

Check Point Full Disk Encryption

$87.97 per license for a purchase of 11 licenses
Check Point Software Technologies Ltd.

McAfee Endpoint Encryption

$80 per license, minimum purchase of 11 licenses require
McAfee Inc.

About the Author

Tony Bradley, CISSP, Microsoft MVP, is the founder and president of, providing expertise, training and written content in the areas of information technology and security and unified communications. Bradley has worked in information security since 2002, driving security policies and technologies for endpoint security and incident response for Fortune 500 companies.


comments powered by Disqus

Subscribe on YouTube