Solved supporting an office of computers with full drive encryption
-
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
-
We do on one set of our machines. It's a pain to type the LUKS password in every time, esp since there is literally no data on the workstations. Everything is automounted.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
-
Turn the workstations into disk-less thin clients maybe?
-
@travisdh1 said in supporting an office of computers with full drive encryption:
Turn the workstations into disk-less thin clients maybe?
Cutting off your nose to spite your face?
-
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
True. You'd have to remove the hardware key every time you moved away from the computer/device. Uck. Yeah, no good solution.
Yeah, if it was on a keychain around your neck and replaced a password in that way, sure that would be fine in many cases.
-
@black3dynamite said in supporting an office of computers with full drive encryption:
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
Yes, which is why essentially no one does full disk in the real world. It's a silly thing and absolutely nothing actually requires it. People say that, but no regulation does.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Well I have been a security consultant
-
@travisdh1 said in supporting an office of computers with full drive encryption:
Turn the workstations into disk-less thin clients maybe?
This is actually more viable than it sounds. Of course there are products like Jentu that sound like they do this but when pushed, appear to not really exist. We tried, a lot, to get this shown to us in person and once it was clear we weren't going to accept a remote video but needed to actually see the product... they ran away and never responded to us again. Even their internal staff admitted they'd only seen prepped demos and had never seen the product.
That being said, if you use a simple tool like Aclouda (they have some hardware on display here at VeeamOn in fact) in your desktop and a SAN, especially one with gobs of cache like Starwind (also here at VeeamOn) you can make a thin client that might actually be faster than normal disk as nearly everything gets served out of a RAM cache.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@black3dynamite said in supporting an office of computers with full drive encryption:
Wouldn't Windows Updates be difficult too? Most of the time you need a restart to finish configuring the updates.
Yes, which is why essentially no one does full disk in the real world. It's a silly thing and absolutely nothing actually requires it. People say that, but no regulation does.
We are. The govt can assert whatever requirements they want depending on "how they read it". It's nuts.
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
auto unencrypt? don't you need a password to decrypt?
This is the exact scenario we need to prevent - theft of machines. Seems like it would do a good job
-
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
auto unencrypt? don't you need a password to decrypt?
This is the exact scenario we need to prevent - theft of machines. Seems like it would do a good job
No. It only stops booting if something changes. Like you plug a monitor into the wrong port. If someone steals a whole laptop it will just boot right to the OS.
-
That may be a setting that can be enabled, idk. I don't manage it.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
Which basically means it was put there to trick a manager who is an idiot.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
That may be a setting that can be enabled, idk. I don't manage it.
Good lord I hope you can enable forced password, otherwise you're right, wtf?!
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@MattSpeller said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@travisdh1 said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
so a remote reboot is a no go since you would need to be onsite to put the password in?
That's a real possibility, yes.
My preferred method would be to use something like a Yubikey or some sort of removable hardware key. That way remote reboots aren't an issue.
Although that arguably is not encrypted. If you were to test that encryption locally, you'd find it to be.... not encrypted.
You're going to have that problem no matter what tho. Once booted, what does it even matter?
We aren't talking about "once booted", we are talking about "if someone steals the device, will they find the data encrypted." Is it even considered encrypted at rest if it decrypts transparently?
My recent audit agrees with Scott and we are moving to something like bitlocker with Sophos management.
Sigh. Watching this thread with great interest
Ya corporate puts bitlocker on machines. It's pointless.
Why is it pointless? It does not work?
I guess pointless is strong. But its only useful if someone steals a drive. If they steal the whole machine it will auto unencrypt on boot.
Which basically means it was put there to trick a manager who is an idiot.
Or just to check a box (to get past an audit) which is just as bad.
-
Hmm. I've been trying to convince my boss to consider thin clients for our users and I think this argument may help me in at least getting him to consider it.