Solved supporting an office of computers with full drive encryption
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
How do you ever? Is there any system that works in one case and not another? If you can't decrypt before logon... all encryption will cause teh system to be useless.
Scott - Clearly I'm an idiot..
I need an exact blow by blow how you would configure a Windows 10 system to have all but the admin profile saved to an encrypted D : drive, that would leave that D drive enrypted while updates are running, yet somehow decrypt the D drive when the user wants to be logged in.Why must the admin profile not be included? Maybe I'm missing when that is used when there is no one logged in.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
-
@Dashrender said in supporting an office of computers with full drive encryption:
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive?
That's my whole goal here. Encrypt a single partition (D drive with users data on it) and leave C drive unencrypted so that the system can update automatically. User space doesn't get patched, so that it is encrypted shouldn't matter, or matter much (if something needs to be updated there you do it at a different time, the OS is way more important.)
-
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
-
This is with LUKS. I don't know how Windows would handle this.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
This is with LUKS. I don't know how Windows would handle this.
Yeah, LUKS works easily for me too. One of the many "trivially easy on Linux, pain in the butt on Windows."
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
-
@Dashrender said in supporting an office of computers with full drive encryption:
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
Yes, the issue is that you are assuming that we want to unlock it AFTER boot time. I don't think we had suggested that. So you are seeing a problem that we had not because you have a use case we weren't considering supporting.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
Yes, the issue is that you are assuming that we want to unlock it AFTER boot time. I don't think we had suggested that. So you are seeing a problem that we had not because you have a use case we weren't considering supporting.
OK, let's assume that is correct, how do you propose protecting that data when the system is booted up and updates are being applied? Now maybe the answer is, it doesn't matter, when updates are being applied no user is logged in, and for a hacker to gain access they'd still have to log in. OK maybe..
But how did the computer bootup in the first place? The whole reason is the OS isn't encrypted is because we want to be able to do remote updates, which requires the PC to be on and booted. And if the PC can be one and booted without a password supplied, then someone could probably hack the boot partition in an attempt to get the key that I assume must be stored in the OS partition to unlock the data partition upon boot, right? -
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
That would be awesome, and totally solve this problem - any know if Bitlocker can do this? I think @dafyre tried but it didn't work.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
That would be awesome, and totally solve this problem - any know if Bitlocker can do this? I think @dafyre tried but it didn't work.
Ah I lied. Ubuntu uses encryptfs which does the auto unencrypt. LUKS will ask for the password for the home directory.
Edit: eCryptFS. Stupid phone keyboard.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
That would be awesome, and totally solve this problem - any know if Bitlocker can do this? I think @dafyre tried but it didn't work.
Ah I lied. Ubuntu uses encryptfs which does the auto unencrypt. LUKS will ask for the password for the home directory.
How does LUKS work then when you are logging in? I take it in a command line there isn't much if anything to really load up profile wise.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
That would be awesome, and totally solve this problem - any know if Bitlocker can do this? I think @dafyre tried but it didn't work.
Ah I lied. Ubuntu uses encryptfs which does the auto unencrypt. LUKS will ask for the password for the home directory.
How does LUKS work then when you are logging in? I take it in a command line there isn't much if anything to really load up profile wise.
Right. During boot it asks for the volume/drive password.
-
A big plus for LUKS though is you can have more than one key. So an Admin can set a key and a user can also.
-
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@NerdyDad said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Dashrender said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
the files written to the disk are encrypted (or not written at all.)
OK I think I see what Scott is writing here. IE has a setting:
https://i.imgur.com/audFdVc.pngThis will prevent encrypted pages from being saved to disk.
But my question to @scottalanmiller is - What about confidential information that is viewed over a non encrypted connection?
Is there a way to make IE, and all other software, not write temp files to the drive at all? And of course, I never saw any discussion at all about the page file, which as far as I know can only be encrypted when using full disk encryption.
Not that I know of, but you can make sure that it only writes to the encrypted user drive.
how?
By putting the user's directories on D... the thing we are discussing.
Not trusting Windows is a different matter. If you feel Windows simply can't be trusted, the only answer is really to leave Windows.
I do trust Windows, let's just assume that they aren't doing anything wrong. I still don't know how you access an encrypted location during logon so that Windows can load the profile. How are you accomplishing this?
You don't, you decrypt it before logging in. No matter what you do, encryption comes out to be a pain.
HOW? How are you decrypting before logon? This is what Mike wants to know.
Key is stored in the TPM. TPM/Bios/UEFI decrypts the drive in order to boot Windows before login.
This is not what Scott is talking about at all though.
I've not tested this, but any reason it can't work with just one partition like LUKS can?
No clue what LUKS is, but assuming a single partition, how do you do remote updates to an encrypted drive? I'm assuming it can't boot without a user there to type in a password.
We can encrypt home directories and still boot the machine. Why would it not be able to boot? The user data is on a separate drive. I'm lost as to why it wouldn't work.
I'm not talking about BOOTING, I'm talking about loading the user profile. In the case of Windows - how would you load a profile that's stored on an encrypted (still locked) partition? When you enter the username/password, the system tries to load the profile from D but can't becuase it's locked. But you can't unlock it until after you log in.
See the problem?
LUKS uses the users password to unlock the partition.
That would be awesome, and totally solve this problem - any know if Bitlocker can do this? I think @dafyre tried but it didn't work.
No bitlocker does not do that. You have to get a third party software to do it.
-
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
-
@Dashrender said in supporting an office of computers with full drive encryption:
OK, let's assume that is correct, how do you propose protecting that data when the system is booted up and updates are being applied?
By having it be encrypted and even the OS can't access it.
-
@Dashrender said in supporting an office of computers with full drive encryption:
But how did the computer bootup in the first place? The whole reason is the OS isn't encrypted is because we want to be able to do remote updates, which requires the PC to be on and booted. And if the PC can be one and booted without a password supplied, then someone could probably hack the boot partition in an attempt to get the key that I assume must be stored in the OS partition to unlock the data partition upon boot, right?
If the OS has the key, the whole system doesn't work. The key has to be held by the user, not the OS regardless of anything else. Full disk, partial disk (partition encryption)... the key can't be on the drive.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
One thing to consider is not doing full disk means that someone can possibly modify or install a modified version of a piece of software or install a key logger on the OS disk. Then the password doesn't matter.
That's potentially true. Could happen on the UEFI too, though.