Feeds

PGP disk encrypt approved by MoD for military use

Good enough for personal data, not for missile codes

Using blade systems to cut costs and sharpen efficiencies

The UK MoD has certified PGP Corporation's whole disk encryption technology as suitable for use on British military computers. However, like most software-only solutions, it has been approved only for machines holding fairly low-level information.

PGP Whole Disk Encryption had previously passed the UK government's baseline approval process run by the CESG, but has now been certified by the Defence INFOSEC Product Co-operation Group (DIPCOG) forum as approved for use in MoD and military systems. However a disk protected solely by PGP encryption is only allowed to have RESTRICTED (Impact Level 3) information on it.

The British protective markings run from UNCLAS (Impact Level 1-2) to RESTRICTED (Impact Level 3) through CONFIDENTIAL (4), SECRET (5) and TOP SECRET (6).

There are some security products already on the UK market certified to higher levels, for instance Flagstone Enhanced rated for TOP SECRET information - but this requires replacement of a laptop's hard disk with special hardware, which would be overkill for most users. Microsoft's BitLocker, included in some versions of its later operating systems, is (like PGP) only OK'd for RESTRICTED.

According to an MoD statement:

The DIPCOG is pleased to be working again with PGP Corporation, in order to exploit its famous capabilities for information security, and is looking forward to reviewing further [baseline CESG] approved products for adoption by the MoD.

This doesn't mean that PGP isn't any good. The MoD and its advisers from the intelligence community, rightly or wrongly, consider that government information from CONFIDENTIAL upwards might be a target for sophisticated nation-state spy organisations employing highly exotic attacks to get around disk encryption. Thus most security products using normal hardware tend to be limited to RESTRICTED.

But things which in many organisations would be seen as crown jewels - people's personal details, for instance - are classified RESTRICTED in the MoD (albeit usually with an added caveat, eg RESTRICTED STAFF or RESTRICTED MEDICAL, it's still only Level 3). Level 6 is stuff like the planned patrol area of Blighty's nuclear missile submarines.

Unless you think that the Russian FSB are going to lift your crypto keys right out of your RAM using a miracle Tempest probe from the next hotel room or something, PGP and similar solutions should be quite good enough. Arguably the MoD security apparat is being overly paranoid anyway - experience suggests that in fact nothing terribly interesting is normally to be found in MoD files even at the SECRET level, let alone CONFIDENTIAL, and maybe they could relax a bit. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.