Why BitLocker with USB key on a server?

Mike Davis

@Dashrender said in Why BitLocker with USB key on a server?:

So there was no TPM?

No TPM as far as I can see.

Mike Davis

@scottalanmiller said in Why BitLocker with USB key on a server?:

Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.

This is what I thought.

I'm tasked with building a new server and I don't see the need for encrypted drives.

scottalanmiller

@Mike-Davis said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.

This is what I thought.

I'm tasked with building a new server and I don't see the need for encrypted drives.

Almost never is. It's so hard to make it useful without crippling real world usage.

BRRABill

@scottalanmiller said in Why BitLocker with USB key on a server?:

@Mike-Davis said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.

This is what I thought.

I'm tasked with building a new server and I don't see the need for encrypted drives.

Almost never is. It's so hard to make it useful without crippling real world usage.

You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)

In "real world usage" how often is a server rebooted?

Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.

scottalanmiller

@BRRABill said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

@Mike-Davis said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.

This is what I thought.

I'm tasked with building a new server and I don't see the need for encrypted drives.

Almost never is. It's so hard to make it useful without crippling real world usage.

You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)

In "real world usage" how often is a server rebooted?

Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.

Well in the real world.... is where we have a failure right here.

BRRABill

@scottalanmiller said in Why BitLocker with USB key on a server?:

@BRRABill said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

@Mike-Davis said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.

This is what I thought.

I'm tasked with building a new server and I don't see the need for encrypted drives.

Almost never is. It's so hard to make it useful without crippling real world usage.

You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)

In "real world usage" how often is a server rebooted?

Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.

Well in the real world.... is where we have a failure right here.

But why?

Were they ever told ... hey lock that up? Or were they just lazy.

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

scottalanmiller

@BRRABill said in Why BitLocker with USB key on a server?:

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.

BRRABill

@scottalanmiller said in Why BitLocker with USB key on a server?:

@BRRABill said in Why BitLocker with USB key on a server?:

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.

Once a week?

scottalanmiller

@BRRABill said in Why BitLocker with USB key on a server?:

@scottalanmiller said in Why BitLocker with USB key on a server?:

@BRRABill said in Why BitLocker with USB key on a server?:

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.

Once a week?

Or more, yes of course. There are exceptions, but very rare.

http://www.smbitjournal.com/2011/02/why-we-reboot-servers/
http://www.datamation.com/datbus/article.php/3909071/Should-Servers-Be-Rebooted.htm

BRRABill

@scottalanmiller said

Or more, yes of course. There are exceptions, but very rare.

I never patch so it's not a concern.

(KIDDDDING!!! FLAME THROWERS DOWN PEOPLE!)

DustinB3403

@BRRABill said in Why BitLocker with USB key on a server?:

@scottalanmiller said

Or more, yes of course. There are exceptions, but very rare.

I never patch so it's not a concern.

OMG. . .

0_1498764390838_you.jfif

Mike Davis

@BRRABill said in Why BitLocker with USB key on a server?:

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

I'm a MSP, so I'm not onsite. 3:00 AM automatic update server reboot would cause problems in the morning.

scottalanmiller

@Mike-Davis said in Why BitLocker with USB key on a server?:

I'm a MSP, so I'm not onsite.

"And" not onsite. Being MSP doesn't imply remote and being on staff doesn't imply on site.

BRRABill

@Mike-Davis said in Why BitLocker with USB key on a server?:

@BRRABill said in Why BitLocker with USB key on a server?:

My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.

I'm a MSP, so I'm not onsite. 3:00 AM automatic update server reboot would cause problems in the morning.

What? You can't set an alarm?

[winking emoji]

JaredBusch

Also who the hell updates shit at 3am?

All my clients have backups running at 6-7pm and updates around 9 or 10.

Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.

DustinB3403

@JaredBusch said in Why BitLocker with USB key on a server?:

Also who the hell updates shit at 3am?

All my clients have backups running at 6-7pm and updates around 9 or 10.

Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.

My thought process as well every time someone asks if we can wait until 11PM to do updates. . . um no. . .

scottalanmiller

@JaredBusch said in Why BitLocker with USB key on a server?:

Also who the hell updates shit at 3am?

All my clients have backups running at 6-7pm and updates around 9 or 10.

Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.

Always best to update the first moment people don't need the system. On Wall St., update process was everyone at their desks five minutes before market close, get your coffee ready and when 5PM strikes we just wait for the call from the trading floor that the last transactions have closed (this can take one minute or about an hour, depends) and the moment we get the call, it's mad patching like crazy. Tens of thousands of systems in about three hours with all weekend to make sure things are good.

momurda

@JaredBusch said in Why BitLocker with USB key on a server?:

Also who the hell updates shit at 3am?

All my clients have backups running at 6-7pm and updates around 9 or 10.

Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.

Microsoft by default, in the middle of the week as well.

JaredBusch

@momurda said in Why BitLocker with USB key on a server?:

@JaredBusch said in Why BitLocker with USB key on a server?:

Also who the hell updates shit at 3am?

All my clients have backups running at 6-7pm and updates around 9 or 10.

Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.

Microsoft by default, in the middle of the week as well.

So you let a random MS default setting dictate your business schedule? WTF?