Feeds

PGP disk encrypt approved by MoD for military use

Good enough for personal data, not for missile codes

Next gen security for virtualised datacentres

The UK MoD has certified PGP Corporation's whole disk encryption technology as suitable for use on British military computers. However, like most software-only solutions, it has been approved only for machines holding fairly low-level information.

PGP Whole Disk Encryption had previously passed the UK government's baseline approval process run by the CESG, but has now been certified by the Defence INFOSEC Product Co-operation Group (DIPCOG) forum as approved for use in MoD and military systems. However a disk protected solely by PGP encryption is only allowed to have RESTRICTED (Impact Level 3) information on it.

The British protective markings run from UNCLAS (Impact Level 1-2) to RESTRICTED (Impact Level 3) through CONFIDENTIAL (4), SECRET (5) and TOP SECRET (6).

There are some security products already on the UK market certified to higher levels, for instance Flagstone Enhanced rated for TOP SECRET information - but this requires replacement of a laptop's hard disk with special hardware, which would be overkill for most users. Microsoft's BitLocker, included in some versions of its later operating systems, is (like PGP) only OK'd for RESTRICTED.

According to an MoD statement:

The DIPCOG is pleased to be working again with PGP Corporation, in order to exploit its famous capabilities for information security, and is looking forward to reviewing further [baseline CESG] approved products for adoption by the MoD.

This doesn't mean that PGP isn't any good. The MoD and its advisers from the intelligence community, rightly or wrongly, consider that government information from CONFIDENTIAL upwards might be a target for sophisticated nation-state spy organisations employing highly exotic attacks to get around disk encryption. Thus most security products using normal hardware tend to be limited to RESTRICTED.

But things which in many organisations would be seen as crown jewels - people's personal details, for instance - are classified RESTRICTED in the MoD (albeit usually with an added caveat, eg RESTRICTED STAFF or RESTRICTED MEDICAL, it's still only Level 3). Level 6 is stuff like the planned patrol area of Blighty's nuclear missile submarines.

Unless you think that the Russian FSB are going to lift your crypto keys right out of your RAM using a miracle Tempest probe from the next hotel room or something, PGP and similar solutions should be quite good enough. Arguably the MoD security apparat is being overly paranoid anyway - experience suggests that in fact nothing terribly interesting is normally to be found in MoD files even at the SECRET level, let alone CONFIDENTIAL, and maybe they could relax a bit. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
KER-CHING! CryptoWall ransomware scam rakes in $1 MEEELLION
Anatomy of the net's most destructive ransomware threat
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
prev story

Whitepapers

Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.