Although it’s very difficult for a non-expert to judge the relative security of the various encryption products available for laptops, you can safely assume that any you’re considering are secure enough for most laptop applications. (For really, really critical information, you need the advice of an expert to select the right product for your needs.) The real differences between the products are in the auxiliary parts, such as key management, ease of use, and general bells and whistles. There’s a good bit of difference in these areas, and you’ll probably end up making your choice based on those factors.
Like any security measure, laptop encryption must be applied intelligently to be effective. Among other things, this means that keys must be kept secure (preferably physically away from the computer except when in use), passwords are properly chosen and protected, and no unencrypted copies of protected files are kept on the computer.
With laptops, one of the most common faux pas is to keep written copies of the passwords, copies of the keys, and security devices such as USB drives in the case with the machine. That approach is convenient for the user, but it’s also convenient for any thief who snags the computer in its case.
Of course, bad guys aren’t the only ones who get locked out by encryption. If the encryption key is lost, no one can get access to the disk. Therefore, any encryption needs a system of key management.
Key management should include keeping the keys secure. It should also include making and keeping backup keys that can be used to unlock the computer in the event of a problem. The backup key can be a copy of the original key, or it can be a separate "administrator’s key" that can unlock the disk when the original key isn’t available. In fact, it’s a good idea for the enterprise to have two separate key management accounts (suitably protected), to be sure that keys can be recovered if needed.
Windows EFS provides an elaborate key-management system that includes a separate key for a Data Recovery Authority (usually a special administrator account). It requires that a data-recovery policy, including a designated Data Recovery Authority, be in place before EFS is enabled.
A number of encryption products, such as PGP’s Whole Disk series, support two-factor authentication, using an external token such as a smartcard or a flash drive in addition to—in some cases, in place of—a password. By keeping the token separate from the computer, preferably on his or her person, the user provides an additional level of security for the system.
Some other encryption tools, such as Windows EFS and Seagate’s Momentus FDE, also support biometric identification schemes such as fingerprint readers. However, these are almost always third-party add-ons. In the case of EFS, Microsoft provides an API and the hooks to allow third-party vendors to write biometric or other authentication applications and connect them into EFS.
Be Sure to Test the Product
Theoretically, Windows encryption products should work with any Windows applications on any Windows system. But if it doesn’t work with your particular combination, your data may be irretrievably lost. For that reason, you should take the time to test a product thoroughly before rolling it out in your organization. Be especially sure that files will decrypt properly and that keys are securely handled and recoverable.