Solved supporting an office of computers with full drive encryption
-
hmm, i have been reading through the commends and I have the following:
If its desktop or laptop, then it can be grounded (desktop are easier) with kensington cord, and if you are worried about auto decrypt on boot up and theft, then you can use TPM module header.
With those even if the Internal HDD got stolen if you used encryption software that uses the TPM it will not decrypt unless the TPM module gets stolen too, for desktops it is different location than laptops and I think it can bind with the motherboard model, note sure though.
Using desktops it is alot easier i guess going the above route.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
-
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
-
@scottalanmiller If the user forgets password and they are out of town. They can feed you a series of numbers and letters (think windows OS Product Key length) that you plug into the server. That then generates a similar code that you feed back to them then that unlocks the encryption.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
Good to know the corporate team is on par.......
-
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
@scottalanmiller If the user forgets password and they are out of town. They can feed you a series of numbers and letters (think windows OS Product Key length) that you plug into the server. That then generates a similar code that you feed back to them then that unlocks the encryption.
Does each user have their own password for the drive? Is it AD integrated? Can the admin log in if the user forgets their password?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
I presume that there is data on there?
The document I was working off of said that even if their data is web based, if they view a .pdf , the .pdf could get stored as a temp file, and that information could be confidential, so they want the drive encrypted.
-
@Mike-Davis It is all AD integrated. When they change their AD password and login then the Dell DDPE will update the PBA (Preboot Authentication screen) with their AD password.
-
@Mike-Davis One thing to note, it will not let them pass the PBA(preboot authentication screen) if their password is expired. Took some teaching, and emails to my users to change passwords when they are prompted and don't let them expire. We push out email warnings the week before and day of their password expiring. Hasn't been too much of an issue. My users seemed to adapt to that fairly well.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
I presume that there is data on there?
The document I was working off of said that even if their data is web based, if they view a .pdf , the .pdf could get stored as a temp file, and that information could be confidential, so they want the drive encrypted.
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
-
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
Sweet, did they watch the video? Did they remember to give some likes? LOL
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@dafyre said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.
I presume that there is data on there?
All my software, and Keepass files. Encrypted SSH keys and RDP password a la MobaXterm. Yeah. There's a bit on here that I don't want folks to have access to.
And if somebody steals my office machine, they'd have to steal the UPS too... and then know the password to unlock my screen... and my desktop weighs about as much as my UPS (it's a small one), lol.
Nearly all of that is already encrypted, though. So those parts won't benefit from further encryption.
Many of our laptops do have unencrypted data that would be very bad to have leaked/stolen. Never mind just having access to the email on some of our machines - yikes.
The last manager meeting here, the owners were sounding very interested in this new LANLess thing @scottalanmiller has been talking about. I'll probably be getting a request for a NextCloud, Spreed.Me, and one of the office integration suites here in the near future
Sweet, did they watch the video? Did they remember to give some likes? LOL
Nope, they were sold when I told them about the Spreed.Me integration. They've been looking for a way to do webinars and being able to interact with remote people. A way to have that available and keep it all "in house" was the kicker.
Also, don't get me started, 3rd party services just won't work because of the crazy legalities surrounding the business. In a sane world I'd have them connect with Skype or something like that.
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
Is that product still made by Wave?
I know Wave was having some issues a little while back.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
Sure, that can happen, depending on how it is set up. But you can encrypt all user space without encrypting the OS.
How would I go about encrypting the user space without the OS?
Standard method is to have all user accessible space on a different volume. Like a D drive (partition.) That way the system can fire up, get patched and be used like a normal system but the data you need to protect can only be accessed with a password (or something) to allow it to decrypt.