Why, TrueCrypt!
Encrypts an entire partition or storage device such as USB flash drive or hard drive.
Using TrueCrypt Without Administrator Privileges
In Windows, a user who does not have administrator privileges can use TrueCrypt, but only after a system administrator installs TrueCrypt on the system. The reason for that is that TrueCrypt needs a device driver to provide transparent on-the-fly encryption/decryption, and users without administrator privileges cannot install/start device drivers in Windows.
After a system administrator installs TrueCrypt on the system, users without administrator privileges will be able to run TrueCrypt, mount/dismount any type of TrueCrypt volume, load/save data from/to it, and create file-hosted TrueCrypt volumes on the system. However, users without administrator privileges cannot encrypt/format partitions, cannot create NTFS volumes, cannot install/uninstall TrueCrypt, cannot change passwords/keyfiles for TrueCrypt partitions/devices, cannot backup/restore headers of TrueCrypt partitions/devices, and they cannot run TrueCrypt in portable mode.
.
System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first track of the boot drive and on the TrueCrypt Rescue Disk.
Domain access is after the pre-boot login.
However, if the user needs to change the password and the employer expects to know that password, it is a matter of the employer trusting the user/employee.
When to use Truecrypt and when not to?
If one of your laptop goes missing, and you either A) have confidential data on the machine, or B) can't confirm that there is NO confidential data on the laptop then you need some kind of encryption scheme. Of course, you (and your organization) need to decide what criteria you want to use to consider what is confidential and what isn't. I recommend you don't neglect this step; you don't want to go to all this work if it is not necessary, nor do you want to elevate your organization's equivalent of the office's cookie recipe to a level of secrecy that demands AES-256. If you've already been through the process, then you're good to go.
My concern with Truecrypt is that my users will have 2 passsword needed to login to their machines. Also, I need to choose to either have 1 password for my organization, or carefully document each machine's password (management nightmare).
The choice between using a single password for your fleet of laptops or using unique passwords on per-machine basis depends on some question you need to think about:
If you pick a single password, will you change it every time someone who knows it leaves employment? If not, how often will you rotate it? If you pick a unique password, you'll have increased security but increased overhead too (however you won't have to rotate the password for every laptop each time an employee leaves). How will you keep track of the password rotation scheme?
My suggestion here is pick a permutation scheme that uses a number that physically stays with the laptop, like part of the serial number. Add something else to this that you can remember. The permutation scheme should be relatively hard to guess, but easy enough so that you can sit down at laptop and not have to refer to documentation. This should reduce some of the management overhead. Obviously, if you need to rotate the password for a laptop, you need to pick a new permutation scheme to "generate" your password with. This could be a simple as incrementing a digit... regardless document, document, document.
In my mind, choosing between a managed and a free encryption solution is primarily based on the NUMBER of machines that will be encrypted and supported.
Total agreement here. 30 - 50 machines seems do-able here with a un-managed solution, BUT you'll want to carefully think that through before you commit to it. Try a test rig to get an idea of what kind of overhead it will require.
- From a management standpoint, what is the tipping point of users where a managed solution would pay for itself over Truecrypt?
This depends on whether you have more time or more money. :D Like I said, there are ways to reduce the overhead of un-managed solution. The overhead may be less than you think.
2.
What are some good third party solutions? (I will consider Bitlocker, but the price to upgrade Windows 7 licenses is a turn-off)
In my opinion, only Bitlocker, but only if you already have the licenses. TrueCrypt is an excellent product in my experience. The other thing to mention about Bitlocker, is you still can't get away from the password issue... I believe the official line from Microsoft is that they do NOT recommend storing the password in TPM as it is vulnerable to a cold boot attack.
From TechNet:
"The TPM-only authentication mode is easiest to deploy, manage, and use. It might also be more appropriate for computers that are unattended or must restart while unattended. However, the TPM-only mode offers the least amount of data protection. If parts of your organization have data that is considered highly sensitive on mobile computers, consider deploying BitLocker with multifactor authentication on those computers."
Additionally, the enterprise addition allows you use AD to store "recovery keys" (presumably copies of the keyfiles required for encryption. This is a nice integrated Windows version of TrueCrypt's Recovery Disk Functionality.
Best Answer
I think eCryptfs might be what you are looking for. Ubuntu has come with eCryptfs for many years, and it is very easy to enable it for home directories. For other directories it may require a bit more effort, but
man ecryptfs
should be a good starting point.