Educause Security Discussion mailing list archives
Re: Full Disk Encryption vs "encrypting just the data disk"....??
From: "Eric C. Lukens" <eric.lukens () UNI EDU>
Date: Wed, 30 Jan 2013 13:48:21 -0600
At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric -------- Original Message -------- Subject: [SECURITY] Full Disk Encryption vs "encrypting just the data disk"....?? From: SCHALIP, MICHAEL <mschalip () CNM EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 1/30/2013 1:03 PM
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot proce
ss....??
Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David Grisham Sent: Wednesday, January 30, 2013 11:35 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Full Disk Encryption and Media Encryption We are using McAfee Endpoint Encryption which allows us to apply FDE preboot on laptops and were moving toward AutoBoot on workstations. The McAfee endpoint tool allows us to force encryption if anyone wants to write to a USB or optical media. There's a lot of options and flexibility. As we been using EPO for quite a while, management has not been a problem. When we pushed out FDE we had some problems because we didn't check the health of the disks on our laptops prior to encrypting and bricked a few. So take a good look at McAfee endpoint encryption. I know there are other products that others are using and like very much also. Cheers.-grish David Grisham, PhD, CISM, CRISC Manager ITSecurityJim Furstenbrg <JamesFurstenberg () FERRIS EDU> 1/30/2013 11:22 AM >>>Full Disk Encryption and Media Encryption Just wanted to see what vendors (enterprise solutions) folks are using for FDE and MDE needs. We currently have Checkpoint which is very unfriendly so I am looking at options. Any help would be greatly appreciated. Thank you. Jim Furstenberg |IT Security Analyst CISSP, C|EH "In God we trust, all others bring data." W. Edward Demmings _________________________________________________________ Ferris State University - National Security Agency Center of Excellence 330 Oak St | Big Rapids, MI 49307 Office: 231.591.5335 Mobile: 231.645.5821 EFax: 888.396.6269 Technical support or call 231-591-4822 local or toll free 877-779-4822 -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
-- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 (319) 273-7434 http://www.uni.edu/elukens/ If you see an attachment called smime.p7s, you may disregard it. It is an S/MIME digital signature file to validate the authenticity of this email message.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Full Disk Encryption vs "encrypting just the data disk"....?? SCHALIP, MICHAEL (Jan 30)
- Re: Full Disk Encryption vs "encrypting just the data disk"....?? Eric C. Lukens (Jan 30)