HDD Encryption

Started by Dieselboy, June 23, 2017, 04:20:02 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

June 23, 2017, 04:20:02 AM
I'm a bit late in the game here but this week I worked on a solution to manage our Apple Macs and Windows systems.

I found this to be pretty easy in the end. My biggest concern wasn't the encryption but getting the system recovered if we somehow don't secure the encryption key.

I chose these options:

1. Manage Apple devices (FileVault) with our company icloud account
2. Manage Windows devices (BitLocker) with our company Active Directory

With the Apple devices, I created a local admin account and used that to initiate the filevault encryption for new built laptops. When you run FileVault (for 10.12.5 OSX) it gives you the option of backing up to icloud. I chose this.
For laptops already in use (not encrypted prior to issuing them), I'm initiating this from the users account and choosing the same icloud option.
RECOVERY: For recovering, at the login window there's an icon you can click on to initiate recovery from icloud. This is only found under the account that initiated the encryption, so don't delete the account.

With Windows devices it was a bit more involved but a bit easier for recovery.
Pre-requisites:
1. install the bitlocker tools on AD so that you can see the bitlocker details directly under the computer account within AD
2. create a GPO that tells the endpoint to send Bitlocker details to AD (recovery key).
2.5 also set the GPO to allow BitLocker if the device does not have a TPM module
3. The system must already be domain-joined prior to turning on BitLocker

After you've done the above, you can turn on BitLocker. AD should be updated with the key.

RECOVERY: At the password boot screen, if you cannot unlock the disk (forgot password / no password) then you press ESC key and it gives you the bitlocker key ID. You then go to AD's computer account for that system and match the ID with the key. Enter the key into the device to unlock it.

Note: Devices with TPM are unlocked automatically
Note2: If the BitLocker key is not updated in AD, I have a .bat script that the user or you can run so that the key is updated in AD (it first changes the key, then updates it).
:smug:

deanwebb

#1
June 23, 2017, 10:48:07 AM
This is where writing things down and putting them in your pocket comes in darn handy.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

#2
June 25, 2017, 08:23:58 PM
Until you wash your pants and that important piece of paper turns to paper-mache  :twitch: :mrgreen:

deanwebb

#3
June 26, 2017, 09:59:00 AM
Quote from: Dieselboy on June 25, 2017, 08:23:58 PM
Until you wash your pants and that important piece of paper turns to paper-mache  :twitch: :mrgreen:

Now you know why network guys do less laundry and take fewer showers than people in, say, sales and marketing...
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

NetworkGroover

#4
June 26, 2017, 06:01:05 PM
Quote from: deanwebb on June 26, 2017, 09:59:00 AM
Now you know why network guys do less laundry and take fewer showers than people in, say, sales and marketing...

It's not lack of personal hygiene - it's strategy.
Engineer by day, DJ by night, family first always

Dieselboy

#5
June 27, 2017, 03:19:01 AM
 :XD: :XD: :XD:

icecream-guy

#6
June 27, 2017, 06:33:31 AM
Quote from: AspiringNetworker on June 26, 2017, 06:01:05 PM
Quote from: deanwebb on June 26, 2017, 09:59:00 AM
Now you know why network guys do less laundry and take fewer showers than people in, say, sales and marketing...

It's not lack of personal hygiene - it's strategy.

http://www.businessinsider.com/how-often-you-should-wash-jeans-2016-3
:professorcat:

My Moral Fibers have been cut.

ggnfs000

#7
July 05, 2017, 02:25:27 AM Last Edit: July 05, 2017, 05:06:11 PM by ggnfs000
worked with tpm for few years, it is extra complicated . In a nutshell, it is supposed to keep your priv key in the tamper-proof hardware device. Even owner of platform can not read it. Tpm is bound to hardware platform.

For bitlocked I believe you can set it to store the key in tpm or without tpm, use a password. I have a usb 1tb hdd which I carry around with important stuff and so I enc-d with password (no TPM). For any Windows computer I plug into it asks for password. If password is forgotten you can restore using the longer phrase, for the I kept in google drive so I can access it anywhere in case needed. It is relatively safe not absolutely.
Print
Go Up Pages1
User actions