Solved supporting an office of computers with full drive encryption
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
Coming into the conversation late here.
I have a full enterprise where most, if not all, of my laptops are bitlockered before they are deployed. Security keys are stored in the TPM for boot decryption. I also hold the kyes to the encryption on an IT controlled drive.
There is also a boot up password that must be entered by the user when the boot the computer up from cold. If they are rebooted, the startup password is bypassed automatically by the bios/uefi.
I've never played with Bitlocker. I was unaware that if you had a TPM that you could required a boot time password still - is that password used to unlock the TPM? How do you manage that password? What if a user forgets their TPM password?
The boot time password has nothing to do with the TPM or bitlocker but is more of a BIOS/UEFI setting to allow access to the hard drive to boot. You could do the same thing to a computer that is totally un-bitlockered.
Huh - so you've added yet another level of complexity. How do you manage these? Do all users have a different BIOS/UEFI password? Do the BIOS/UEFI allow for both a user level password (for disk booting) and an admin level one in case the user forgets their BIOS/UEFI password?
Also - so Bitlocker/TPM doesn't have an option for a password requirement?
You mentioned that the BIOS/UEFI does not require the password if the system is rebooted. Does this mean only when Windows is properly rebooted? or that a password is only not required when the system isn't coming from a powered off state?
What about sleep/hibernation? Is a password required then to get past the BIOS/UEFI?Yes, we did add another level of complexity that was not necessary but something the boss wanted. The boot password is a password convention that the user and IT knows, but something that anybody outside of the company would not/should not know. It should be something fairly easy for them to remember because they have to use it everyday for them to use their computers anyways. No, its not their Windows password either.
The TPM stores the key for bitlocker to begin decryption in order to boot the system.
Lenovo systems detects when Windows is being properly rebooted and does not request the boot up password. We have not yet tested sleep/hibernation as that junk typically has never worked for me in Windows. I've not had a problem with hibernation/sleep in Qubes.
What's really funny is that you have the crazy mix of "require encryption" but "trust Lenovo." That makes no sense. Especially as the UEFI being malicious being one of the issues with Lenovo!
Don't get me wrong. I don't trust Lenovo. In fact, we're doing the slow migration away from Lenovo to Dell. That's just the practice that we have right now.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
If you redirect the profile to the D : drive (good luck actually getting that to fully work) ....
Weren't you just arguing that you trust MS more than me
Now you've lost me though - profile redirection causes all kinds of problems. Can you make it work, yes. Is it easy ? Heck no. My own personal experience also says it's not that stable either, but I'm willing to take the blame on that bit if needed.
It's amazing how much the simplest tasks are major issues on Windows
Sadly, this is more based upon the shit software companies write, and less on MS. The crap software makes hard calls to anticipated locations. this is not MS's fault.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
If you redirect the profile to the D : drive (good luck actually getting that to fully work) ....
Weren't you just arguing that you trust MS more than me
Now you've lost me though - profile redirection causes all kinds of problems. Can you make it work, yes. Is it easy ? Heck no. My own personal experience also says it's not that stable either, but I'm willing to take the blame on that bit if needed.
It's amazing how much the simplest tasks are major issues on Windows
Sadly, this is more based upon the shit software companies write, and less on MS. The crap software makes hard calls to anticipated locations. this is not MS's fault.
I agree. Although MS doesn't handle it in a way that fixes that, either. They make it really easy to mess that up and even their own update process breaks - so MS's fault there.
UNIX had this solved in the 1970s, so even bad code doesn't have the issue.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
-
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
How do you ever? Is there any system that works in one case and not another? If you can't decrypt before logon... all encryption will cause teh system to be useless.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
How do you ever? Is there any system that works in one case and not another? If you can't decrypt before logon... all encryption will cause teh system to be useless.
Scott - Clearly I'm an idiot..
I need an exact blow by blow how you would configure a Windows 10 system to have all but the admin profile saved to an encrypted D : drive, that would leave that D drive enrypted while updates are running, yet somehow decrypt the D drive when the user wants to be logged in. -
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
How do you ever? Is there any system that works in one case and not another? If you can't decrypt before logon... all encryption will cause teh system to be useless.
Scott - Clearly I'm an idiot..
I need an exact blow by blow how you would configure a Windows 10 system to have all but the admin profile saved to an encrypted D : drive, that would leave that D drive enrypted while updates are running, yet somehow decrypt the D drive when the user wants to be logged in.Why must the admin profile not be included? Maybe I'm missing when that is used when there is no one logged in.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
-
@Dashrender said in supporting an office of computers with full drive encryption:
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive?
That's my whole goal here. Encrypt a single partition (D drive with users data on it) and leave C drive unencrypted so that the system can update automatically. User space doesn't get patched, so that it is encrypted shouldn't matter, or matter much (if something needs to be updated there you do it at a different time, the OS is way more important.)
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
-
This is with LUKS. I don't know how Windows would handle this.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
This is with LUKS. I don't know how Windows would handle this.
Yeah, LUKS works easily for me too. One of the many "trivially easy on Linux, pain in the butt on Windows."
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
-
@Dashrender said in supporting an office of computers with full drive encryption:
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
Yes, the issue is that you are assuming that we want to unlock it AFTER boot time. I don't think we had suggested that. So you are seeing a problem that we had not because you have a use case we weren't considering supporting.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
Yes, the issue is that you are assuming that we want to unlock it AFTER boot time. I don't think we had suggested that. So you are seeing a problem that we had not because you have a use case we weren't considering supporting.
OK, let's assume that is correct, how do you propose protecting that data when the system is booted up and updates are being applied? Now maybe the answer is, it doesn't matter, when updates are being applied no user is logged in, and for a hacker to gain access they'd still have to log in. OK maybe..
But how did the computer bootup in the first place? The whole reason is the OS isn't encrypted is because we want to be able to do remote updates, which requires the PC to be on and booted. And if the PC can be one and booted without a password supplied, then someone could probably hack the boot partition in an attempt to get the key that I assume must be stored in the OS partition to unlock the data partition upon boot, right? -
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.