Main Nav

Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
AttachmentSize
smime.p7s4.33 KB

Comments

Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.