However, if a lost device is powered up and logged in, a TPM provides zero protection. An interloper can simply dump the data off the hard drive in the clear using ordinary file copies. Thus, it's essential that TPM-protected systems have noncircumventable log-in timeouts using administrator-protected settings.
To achieve the ultimate in full disk encryption protection requires hardware-enabled encryption on board the hard drive. Drive-based encryption closes all of TPM's loopholes, since the encryption key is no longer stored in OS-accessible memory. Hardware-based full disk encryption also eliminates the performance penalty incurred by software-based full disk encryption, although with today's fast, processors, that software encryption overhead is not noticeable to most users.
The cost for TPM protection starts at zero for Microsoft's BitLocker, which is built into Vista Enterprise and Ultimate, Windows Server 2008, and the forthcoming Windows 7. Major laptop manufacturers also sell software bundles that enable TPM in any Windows version, including XP, such as Wave's Embassy Trust Suite and McAfee's SafeBoot. The advantage of bundled software is sole-source support and pre-tested configurations.
You can also roll your own software protection using stand-alone packages such as PGP Whole Disk Encryption.
All these products support a wide range of enterprise-class management tools that let you enforce uniform policies and centrally store encryption keys, including special data-recovery keys that solve the problem of lost passwords and prevent employees from locking employers out of their hard drives.
If you can't do TPM, here's your plan B for encryption
Although the deployment of TPM-based full description is ideal, you may count the cost of full disk encryption and come up short-funded, especially if you just refreshed your enterprise laptops with non-TPM models. Forklifting your entire laptop population is an undeniably expensive proposition, as is replacing the non-TPM laptops if your company has a mix of TPM and non-TPM laptops. If you can't go all TPM, there's a plan B that can give you much of the encryption benefits you need.
You might think that plan B involves partial disk encryption, typically deployed by designating specific folders on a laptop as encrypted; as files are moved into that folder, they are automatically encrypted. Apple and Microsoft have long offered this form of encryption, via FileVault on the Mac and the Encrypted File System tools in Windows XP and Vista. But this approach has a major flaw: It depends on users to properly store sensitive data only in encrypted form.
A variation of folder-level encryption is virtual disk encryption (VDE), in which a single disk file contains a virtual disk image that the user can mount when needed; this virtual disk collects all sensitive files in one location. Microsoft's BitLocker offers this feature in all Vista editions, as well as in Windows Server 2008 and Windows XP. Third-party products such as PGPDisk and even free open source software programs such as TrueCrypt have VDE capabilities. Many of these third-party utilities are easier to use than BitLocker, so they can save you some implementation expense.