Solved supporting an office of computers with full drive encryption
-
@travisdh1 said in supporting an office of computers with full drive encryption:
Turn the workstations into disk-less thin clients maybe?
This is actually more viable than it sounds. Of course there are products like Jentu that sound like they do this but when pushed, appear to not really exist. We tried, a lot, to get this shown to us in person and once it was clear we weren't going to accept a remote video but needed to actually see the product... they ran away and never responded to us again. Even their internal staff admitted they'd only seen prepped demos and had never seen the product.
That being said, if you use a simple tool like Aclouda (they have some hardware on display here at VeeamOn in fact) in your desktop and a SAN, especially one with gobs of cache like Starwind (also here at VeeamOn) you can make a thin client that might actually be faster than normal disk as nearly everything gets served out of a RAM cache.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@black3dynamite said in supporting an office of computers with full drive encryption:
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
Yes, which is why essentially no one does full disk in the real world. It's a silly thing and absolutely nothing actually requires it. People say that, but no regulation does.
We are. The govt can assert whatever requirements they want depending on "how they read it". It's nuts.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
auto unencrypt? don't you need a password to decrypt?
This is the exact scenario we need to prevent - theft of machines. Seems like it would do a good job
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
auto unencrypt? don't you need a password to decrypt?
This is the exact scenario we need to prevent - theft of machines. Seems like it would do a good job
No. It only stops booting if something changes. Like you plug a monitor into the wrong port. If someone steals a whole laptop it will just boot right to the OS.
-
That may be a setting that can be enabled, idk. I don't manage it.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
Which basically means it was put there to trick a manager who is an idiot.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
Which basically means it was put there to trick a manager who is an idiot.
Or just to check a box (to get past an audit) which is just as bad.
-
Hmm. I've been trying to convince my boss to consider thin clients for our users and I think this argument may help me in at least getting him to consider it.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
auto unencrypt? don't you need a password to decrypt?
This is the exact scenario we need to prevent - theft of machines. Seems like it would do a good job
Loads of people doing encryption aren't doing it for logical reasons, but as a means to bypass a spirit of security. And they "have" encryption, but disable it automatically so that someone stealing hardware might never even know that the data was "encrypted."
-
@scottalanmiller Ok, I get that - but for real though, bitlocker can be forced to start with a password to decrypt the drive right? And it's reasonably good encryption?
-
Maybe using Citrix XenApps, Citrix XenDesktop, or VMware Horizon is another solution.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller Ok, I get that - but for real though, bitlocker can be forced to start with a password to decrypt the drive right? And it's reasonably good encryption?
Oh sure, just not many people doing that.
-
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
-
@PenguinWrangler said in supporting an office of computers with full drive encryption:
We use Dell DDPE encryption solution. We can log into the server and tell the computer bypass the first Encryption Screen on next boot if the computer is in the office. So that is how we handle WOL scenarios.
That's a cool feature.
-
hmm, i have been reading through the commends and I have the following:
If its desktop or laptop, then it can be grounded (desktop are easier) with kensington cord, and if you are worried about auto decrypt on boot up and theft, then you can use TPM module header.
With those even if the Internal HDD got stolen if you used encryption software that uses the TPM it will not decrypt unless the TPM module gets stolen too, for desktops it is different location than laptops and I think it can bind with the motherboard model, note sure though.
Using desktops it is alot easier i guess going the above route.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
The CIO wants all of the Sysadmin team (and presumably others) to use BitLocker for Full Disk Encryption. I can't reboot my computer without entering the password to decrypt the drives.