Re: Full Disk Encryption vs "encrypting just the data disk"....??

["Eric C. Lukens" <eric.lukens () UNI EDU>]

At least on Windows 7 and above, you could do that with
Bitlocker--though it might not be as user friendly as other options but
2012 does make it better. You need to configure Group Policy to force
the recovery keys to be sent to the domain, then your DAs (or others you
delegate) can view the recovery keys. When doing so, you can set the
different kinds of recovery keys for Bitlocker to be sent up--removable
drives, fixed drives, or boot drives. Then you need to review all the GP
settings for Bitlocker to make sure the passwords requirements meet your
needs along with other settings.

Using non-boot drives with Bitlocker adds no boot overhead and doesn't
require extra care when upgrading the BIOS or making BIOS changes. That
said, AES 128, the default in Bitlocker, is not much overhead--even on
older machines. For newer machines with AES instructions built into the
proc, the overhead is virtually non-existent (though the paranoid on Win
8/2012 can force software encryption).

However, Windows will let the user set an option to automatically unlock
Bitlocker drives under some circumstances, so you need to manually force
a registry key to be unwritable or cleared.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively,
you can force Bitlocker to not allow the creation of 256-bit recovery
keys, which is what Bitlocker uses to auto-unlock drives (assuming
you're find just using the shorter, manually-entered keys).

To force the encryption on users, that'll take some scripting kung fu,
it can be done, but it isn't pretty.

If you want help/more details, let me know.

-Eric

-------- Original Message --------
Subject: [SECURITY] Full Disk Encryption vs "encrypting just the data
disk"....??
From: SCHALIP, MICHAEL <mschalip () CNM EDU>
To: SECURITY () LISTSERV EDUCAUSE EDU
Date: 1/30/2013 1:03 PM

> Hi folks.....
>
> Apologies for the hijack, but - here's what we're struggling with:  We run Symantec Endpoint Encryption - whole disk 
> - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" 
> in to the system is more than a lot of folks can handle/manage/understand.  So - the idea has been broached of 
> partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an 
> encrypted D:/data disk where everyone will need to store their data.  This sounded like a good theory until we were 
> told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot 
> environment - hence, we may not get any boot time gains.  Which is also driving the discussion toward BitLocker, 
> (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, 
> I'm not sure if BitLocker doesn't require the same kind of pre-boot proce
ss....??
> Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the 
> system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery 
> capability??
>
> Thanks,
>
> Michael
>
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
> Grisham
> Sent: Wednesday, January 30, 2013 11:35 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Full Disk Encryption and Media Encryption
>
> We are using McAfee Endpoint Encryption which allows us to apply FDE preboot on laptops and were moving toward 
> AutoBoot on workstations.
> The McAfee endpoint tool allows us to force encryption if anyone wants to write to a USB or optical media. There's a 
> lot of options and flexibility.
> As we been using EPO for quite a while, management has not been a problem. When we pushed out FDE we had some 
> problems because we didn't check the health of the disks on our laptops prior to encrypting and bricked a few.
> So take a good look at McAfee endpoint encryption. I know there are other products that others are using and like 
> very much also. Cheers.-grish David Grisham, PhD, CISM, CRISC Manager ITSecurity
>
> > > > Jim Furstenbrg <JamesFurstenberg () FERRIS EDU> 1/30/2013 11:22 AM >>>
> Full Disk Encryption and Media Encryption
>
> Just wanted to see what vendors (enterprise solutions)  folks are using for FDE and MDE needs. 
>
>  We currently have Checkpoint which is very unfriendly so I am looking at options. 
>
> Any help would be greatly appreciated. 
>
>
> Thank you.
>
> Jim Furstenberg |IT Security Analyst CISSP, C|EH
>
> "In God we trust, all others bring data."    W. Edward Demmings
> _________________________________________________________
> Ferris State University  - National Security Agency Center of Excellence
> 330 Oak St  | Big Rapids, MI 49307
> Office: 231.591.5335
> Mobile: 231.645.5821
> EFax: 888.396.6269
> Technical support
> or call 231-591-4822 local
> or toll free 877-779-4822
>
> --
> This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.

-- 
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
(319) 273-7434
http://www.uni.edu/elukens/

If you see an attachment called smime.p7s, you may disregard it. It is
an S/MIME digital signature file to validate the authenticity of this
email message.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature