Solved supporting an office of computers with full drive encryption
-
@scottalanmiller Ok, I get that - but for real though, bitlocker can be forced to start with a password to decrypt the drive right? And it's reasonably good encryption?
-
Maybe using Citrix XenApps, Citrix XenDesktop, or VMware Horizon is another solution.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller Ok, I get that - but for real though, bitlocker can be forced to start with a password to decrypt the drive right? And it's reasonably good encryption?
Oh sure, just not many people doing that.
-
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
That's a cool feature.
-
hmm, i have been reading through the commends and I have the following:
If its desktop or laptop, then it can be grounded (desktop are easier) with kensington cord, and if you are worried about auto decrypt on boot up and theft, then you can use TPM module header.
With those even if the Internal HDD got stolen if you used encryption software that uses the TPM it will not decrypt unless the TPM module gets stolen too, for desktops it is different location than laptops and I think it can bind with the motherboard model, note sure though.
Using desktops it is alot easier i guess going the above route.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
-
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
-
@scottalanmiller If the user forgets password and they are out of town. They can feed you a series of numbers and letters (think windows OS Product Key length) that you plug into the server. That then generates a similar code that you feed back to them then that unlocks the encryption.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
Good to know the corporate team is on par.......
-
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
@scottalanmiller If the user forgets password and they are out of town. They can feed you a series of numbers and letters (think windows OS Product Key length) that you plug into the server. That then generates a similar code that you feed back to them then that unlocks the encryption.
Does each user have their own password for the drive? Is it AD integrated? Can the admin log in if the user forgets their password?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
I presume that there is data on there?
The document I was working off of said that even if their data is web based, if they view a .pdf , the .pdf could get stored as a temp file, and that information could be confidential, so they want the drive encrypted.
-
@Mike-Davis It is all AD integrated. When they change their AD password and login then the Dell DDPE will update the PBA (Preboot Authentication screen) with their AD password.
-
@Mike-Davis One thing to note, it will not let them pass the PBA(preboot authentication screen) if their password is expired. Took some teaching, and emails to my users to change passwords when they are prompted and don't let them expire. We push out email warnings the week before and day of their password expiring. Hasn't been too much of an issue. My users seemed to adapt to that fairly well.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
I presume that there is data on there?
The document I was working off of said that even if their data is web based, if they view a .pdf , the .pdf could get stored as a temp file, and that information could be confidential, so they want the drive encrypted.
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
-
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
