Hard Drive Encryption
-
I have a client that is required to have data encryption for their hard drives. We have tried two different packages, and it appears that Windows 8.1 with BITLOCKER will meet the requirements for compliance. However, the problem is when I am doing remote work and I have to reboot the workstation, I have to wait for the user to enter the credentials to unlock the drive before it will boot again. This is obviously a PiA when you are trying to do Windows updates - etc. at night. My understanding is that BITLOCKER will do the same. We have also had a few issues with the drives. In one case, the user had a virus that was locking out the system as soon as they logged in. Having the encryption on the drive made it twice as difficult to fix the issue. I did eventually resolve it with a clean user profile, but days were wasted. The second time we had a system BSOD, but I was able to move the drive to another machine and decrypt the drive to read the data. It would seem a better option would be to only encrypt a data section of the hard drive, and leave the OS unencrypted. What products and strategies are the rest of you using?
-
Drive encryption definitely sucks. I don't deal with Windows encryption much but on Linux what we do is use LUKS and only encrypt the data drives, not the OS. That way you can boot, patch, etc. without getting access to the data at rest. Way better and lower overhead on the system.
-
TrueCrypt and I assume its offspring did do full disk encryption. But it also did volume encryption so you could make a set of folders/volumes/partition encrypted without having the OS or primary "drive" encrypted. Not sure if Bitlocker offers the same thing.
-
I agree with Scott's point about encrypting the data drives but not the OS drives. The issue is when you have to encrypt the workstations and there is only one drive. I don't know of a way around this, sadly.
-
@thanksaj said:
I agree with Scott's point about encrypting the data drives but not the OS drives. The issue is when you have to encrypt the workstations and there is only one drive. I don't know of a way around this, sadly.
It's as simple as not having just one drive. There is nothing limiting you to a single volume.
-
@scottalanmiller said:
@thanksaj said:
I agree with Scott's point about encrypting the data drives but not the OS drives. The issue is when you have to encrypt the workstations and there is only one drive. I don't know of a way around this, sadly.
It's as simple as not having just one drive. There is nothing limiting you to a single volume.
Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.
-
@thanksaj said:
Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.
Yes but that's the answer. It's far simpler than adding another drive. It's far simpler than encrypting.
-
@scottalanmiller said:
@thanksaj said:
Unless they are laptops with only one slot. In that case, you could create multiple logical partitions but this is another step that most don't take.
Yes but that's the answer. It's far simpler than adding another drive. It's far simpler than encrypting.
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
-
@thanksaj said:
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.
-
@scottalanmiller said:
@thanksaj said:
Yes, I know. Still, it just means extra steps, and many IT guys won't take them.
It's the minimum though. It's less than the alternatives. If you are going to rule that out then, by extension, you'd rule out encryption all together which rules out the point of the thread. It just doesn't make sense.
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
-
@thanksaj said:
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.
-
@scottalanmiller said:
@thanksaj said:
It's life @scottalanmiller . We need to establish that most things that most people do will not make sense.
But this doesn't apply to this thread. Don't do the "people won't do logical things so we can't have a logical discussion" thing that we see in SW a lot. This is a thread of someone asking a real question and this is the real answer. Saying that "most people are lazy or stupid and therefore won't do this" defeats the point of asking the question.
I wasn't saying your answer wasn't a solution. I'm just saying most people won't go to those measures. However, it is a viable solution.
-
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
-
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
At the point is the OS really that important? If the data volume is encrypted at rest then who cares about the OS which would be generally the same on all the machines? Or does having the OS unecrypted introduce a new attack vector that wouldn't exist if it was encrypted like the data?
-
If someone gets access to the OS there is a chance of gathering data about the system(s) and to get cached credentials to use for offline unencryption attacks.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
I was going to suggest the same thing. My primary device is a laptop with a 500GB drive. I had planned on Dual Booting it; Win 7, Linux, but also wanted a data partition that was accessible to both.
I've used this scheme for a long time. Not always to dual boot but it was the mindset that the data was more important than the OS.. I could toast the OS and not worry about my data UNLESS there was a physical hard drive failure. Which do happen.
Even though many programs default to the OS drive for data, you can modify the registry or program settings to use the data vol and not the OS vol.
TrueCrypt and it's newer variant do wonderful encryption, however if you are having to comply with FIPS 140 - than TrueCrypt doesn't comply. Bitlocker does, as does may others.
-
Doesn't any company offer encryption at the disk or BIOS level? That combined with iLO or the equivalent would do the trick no?
-
Seagate used to have disk level, yes. Not sure how that works in RAID.
-
Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.
