The cost for TPM protection starts at zero for Microsoft's BitLocker, which is built into Vista Enterprise and Ultimate, Windows Server 2008, and the forthcoming Windows 7. Major laptop manufacturers also sell software bundles that enable TPM in any Windows version, including XP, such as Wave's Embassy Trust Suite and McAfee's SafeBoot. The advantage of bundled software is sole-source support and pre-tested configurations.
You can also roll your own software protection using stand-alone packages such as PGP Whole Disk Encryption.
All these products support a wide range of enterprise-class management tools that let you enforce uniform policies and centrally store encryption keys, including special data-recovery keys that solve the problem of lost passwords and prevent employees from locking employers out of their hard drives.
If you can't do TPM, here's your plan B for encryption
Although the deployment of TPM-based full description is ideal, you may count the cost of full disk encryption and come up short-funded, especially if you just refreshed your enterprise laptops with non-TPM models. Forklifting your entire laptop population is an undeniably expensive proposition, as is replacing the non-TPM laptops if your company has a mix of TPM and non-TPM laptops. If you can't go all TPM, there's a plan B that can give you much of the encryption benefits you need.
You might think that plan B involves partial disk encryption, typically deployed by designating specific folders on a laptop as encrypted; as files are moved into that folder, they are automatically encrypted. Apple and Microsoft have long offered this form of encryption, via FileVault on the Mac and the Encrypted File System tools in Windows XP and Vista. But this approach has a major flaw: It depends on users to properly store sensitive data only in encrypted form.
A variation of folder-level encryption is virtual disk encryption (VDE), in which a single disk file contains a virtual disk image that the user can mount when needed; this virtual disk collects all sensitive files in one location. Microsoft's BitLocker offers this feature in all Vista editions, as well as in Windows Server 2008 and Windows XP. Third-party products such as PGPDisk and even free open source software programs such as TrueCrypt have VDE capabilities. Many of these third-party utilities are easier to use than BitLocker, so they can save you some implementation expense.
Another form of partial disk encryption is to apply encryption to specific files, typically those residing on corporate servers that users want to open locally. In this approach, users must enter a password every time they open a protected file. IT not only is on the hook to ensure that all sensitive files get encrypted but also has no way to stop users from simply saving the opened file as an unencrypted copy. Still, this protection is better than nothing and is widely available via free disk utilities. But key management can be a problem, and these file-level encryption tools generally don't support multifactor authentication.