Solved supporting an office of computers with full drive encryption
-
Does anyone support an office of computers that are using full drive encryption? I'm considering a client that has this requirement (I don't know if they are currently meeting the requirement.) and was wondering how much extra time might be consumed by supporting that.
-
The only downside is someone having to enter a password every time a computer boots up. It's possible they've got hardware keys of some sort, in which case keeping the matching hardware together is the key. Worst case imo, they're using hardware keys built into the motherboard (hope they've got good backups!)
-
so a remote reboot is a no go since you would need to be onsite to put the password in?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
Does anyone support an office of computers that are using full drive encryption? I'm considering a client that has this requirement (I don't know if they are currently meeting the requirement.) and was wondering how much extra time might be consumed by supporting that.
An enormous amount unless you manage to get them to ensure that they will deal with all of that.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
Of course, if you don't need a password, what would encrypted even mean if nothing was encrypted?
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
Or out of band management on the user system . .
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
True. You'd have to remove the hardware key every time you moved away from the computer/device. Uck. Yeah, no good solution.
-
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
-
We do on one set of our machines. It's a pain to type the LUKS password in every time, esp since there is literally no data on the workstations. Everything is automounted.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
-
Turn the workstations into disk-less thin clients maybe?
-
@travisdh1 said in supporting an office of computers with full drive encryption:
Turn the workstations into disk-less thin clients maybe?
Cutting off your nose to spite your face?
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
True. You'd have to remove the hardware key every time you moved away from the computer/device. Uck. Yeah, no good solution.
Yeah, if it was on a keychain around your neck and replaced a password in that way, sure that would be fine in many cases.
-
@black3dynamite said in supporting an office of computers with full drive encryption:
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
Yes, which is why essentially no one does full disk in the real world. It's a silly thing and absolutely nothing actually requires it. People say that, but no regulation does.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Well I have been a security consultant
-
@travisdh1 said in supporting an office of computers with full drive encryption:
Turn the workstations into disk-less thin clients maybe?
This is actually more viable than it sounds. Of course there are products like Jentu that sound like they do this but when pushed, appear to not really exist. We tried, a lot, to get this shown to us in person and once it was clear we weren't going to accept a remote video but needed to actually see the product... they ran away and never responded to us again. Even their internal staff admitted they'd only seen prepped demos and had never seen the product.
That being said, if you use a simple tool like Aclouda (they have some hardware on display here at VeeamOn in fact) in your desktop and a SAN, especially one with gobs of cache like Starwind (also here at VeeamOn) you can make a thin client that might actually be faster than normal disk as nearly everything gets served out of a RAM cache.
