Main Nav

Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
AttachmentSize
smime.p7s4.33 KB

Comments

Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---
Hi folks..... Apologies for the hijack, but - here's what we're struggling with: We run Symantec Endpoint Encryption - whole disk - only on our administrative laptops - but, the boot time hit is bad, plus the process of having to "register users" in to the system is more than a lot of folks can handle/manage/understand. So - the idea has been broached of partitioning all admin laptops in to an unencrypted C:/boot drive, (thus improving the boot time), but also having an encrypted D:/data disk where everyone will need to store their data. This sounded like a good theory until we were told that even if the boot partition isn't encrypted, the system will still have to go through the SEE pre-boot environment - hence, we may not get any boot time gains. Which is also driving the discussion toward BitLocker, (especially with some of the recovery improvements that come with BitLocker in a WinServer 2012 environment).....but, I'm not sure if BitLocker doesn't require the same kind of pre-boot process....?? Anyone know if there's an elegant way to encrypt a data drive - not encrypt the boot drive - and not require the system to go through a pre-boot process......AND, allow for some sort of automated and centralized key recovery capability?? Thanks, Michael
Message from eric.lukens@uni.edu

At least on Windows 7 and above, you could do that with Bitlocker--though it might not be as user friendly as other options but 2012 does make it better. You need to configure Group Policy to force the recovery keys to be sent to the domain, then your DAs (or others you delegate) can view the recovery keys. When doing so, you can set the different kinds of recovery keys for Bitlocker to be sent up--removable drives, fixed drives, or boot drives. Then you need to review all the GP settings for Bitlocker to make sure the passwords requirements meet your needs along with other settings. Using non-boot drives with Bitlocker adds no boot overhead and doesn't require extra care when upgrading the BIOS or making BIOS changes. That said, AES 128, the default in Bitlocker, is not much overhead--even on older machines. For newer machines with AES instructions built into the proc, the overhead is virtually non-existent (though the paranoid on Win 8/2012 can force software encryption). However, Windows will let the user set an option to automatically unlock Bitlocker drives under some circumstances, so you need to manually force a registry key to be unwritable or cleared. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\FveAutoUnlock Alternatively, you can force Bitlocker to not allow the creation of 256-bit recovery keys, which is what Bitlocker uses to auto-unlock drives (assuming you're find just using the shorter, manually-entered keys). To force the encryption on users, that'll take some scripting kung fu, it can be done, but it isn't pretty. If you want help/more details, let me know. -Eric ---