• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Skip Bitlocker detection?

    Scheduled Pinned Locked Moved FOG Problems
    26 Posts 4 Posters 8.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gwhiteia
      last edited by gwhiteia

      I know the general thought is that Bitlocker should be disabled prior to imaging, but we’ve done it using CloneZilla and had no issues.

      CloneZilla captures the partitions it knows about in their native filesystems, and then does the BL’ed partition as RAW…it doesn’t force us to do the whole drive as RAW.

      Could the developers perhaps add that functionality as a switch in the image definition - Skip Bitlocker detection - yes/no?

      I love the product, but I can’t use it without this feature.

      Thanks!

      george1421G 1 Reply Last reply Reply Quote 0
      • Tom ElliottT
        Tom Elliott
        last edited by

        FOG already has the capability to do this, but we added a check because that was the “thought” we needed to do.

        You can modify the file yourself.

        You are, hopefully, familiar with postinit scripts:

        The file you’ll want to replace is:
        /usr/share/fog/lib/funcs.sh

        The line you would need to comment:
        Line 290 in fsTypeSetting function.

        You should then have the ability to capture/deploy images using the “imager/raw” method.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        G 1 Reply Last reply Reply Quote 0
        • G
          gwhiteia
          last edited by

          That’s awesome…thanks Tom!

          Is that something that could be incorporated into the web interface? Perhaps in the definition of the image?

          Tom ElliottT 1 Reply Last reply Reply Quote 0
          • george1421G
            george1421 Moderator @gwhiteia
            last edited by

            @gwhiteia said in Skip Bitlocker detection?:

            know the general thought is that Bitlocker should be disabled prior to imaging, but we’ve done it using CloneZilla and had no issues.

            I question this statement and then question the value of bitlocker if you can do this successfully. As long as you are using the tpm chip there should be no value in cloning a bitlocker protected partition unless it will be used to restore back to the same computer. If you are doing a one to many deployment with this image it should fail on every computer you deploy it to because the certificate held in the tpm chip will not match. If you can do this then something is wrong with bitlocker.

            @Tom-Elliott

            The file you’ll want to replace is:
            /usr/share/fog/lib/funcs.sh

            The line you would need to comment:
            Line 290 in fsTypeSetting function.

            Could we key the skip that line if a specific kernel parameter exists in FOG 1.6.x? I can see the value in having this check to keep the fog admin from doing something they don’t expect. But if the FOG admin “really” wants to do this a kernel parameter flag could be a way to bypass the check.

            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

            Tom ElliottT 1 Reply Last reply Reply Quote 0
            • Tom ElliottT
              Tom Elliott @gwhiteia
              last edited by

              @gwhiteia Sure it could be, but I think, for now, this change would be more quickly incorporated using postinit scripts.

              This is because, the change would require 2 steps.

              1. The GUI: This element is extremely easy to add. A simple change to the SQL schema and a little HTML code.

              2. The FS/FOS/INIT rebuild: This element, while not difficult to add, requires a rebuild of the init’s. This takes some time to accomplish, (Think usually around 3 hours assuming no issues during the build.)

              So, we can add this level of functionality, and I imagine we probably will in the future. When that will be, I can’t really say. But Postinit’s add levels of functionality and, presumably, understanding of the backend code which I think would be useful as well.

              Please see https://forums.fogproject.org/topic/9463/fog-postinit-scripts-before-the-magic-begins?_=1601327523120 in regards to how to use postinit scripts if you need some help.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              george1421G 1 Reply Last reply Reply Quote 0
              • Tom ElliottT
                Tom Elliott @george1421
                last edited by

                @george1421 I think the capture task could have a “allow bitlocker capture” or something similar, along the same lines as “Schedule as debug” task.

                This could be interpretted as a kernel arg.

                This would be extremely simple and require no Schema change at least.

                Thanks for letting me think it through.

                The only change is a minor GUI addition and a little change to the Init fsType script.

                I don’t think we need to worry about bitlocker on a deploy task.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                george1421G 1 Reply Last reply Reply Quote 1
                • george1421G
                  george1421 Moderator @Tom Elliott
                  last edited by george1421

                  @Tom-Elliott said in Skip Bitlocker detection?:

                  postinit scripts

                  I thought about postinits, but then I wondered of we slide in a new func.sh script, isn’t that already loaded into memory before the postinit code is called? I think the OP is going to need to unpack the inits make the change and then repack them. https://wiki.fogproject.org/wiki/index.php/Modifying_the_Init_Image

                  It would be really nice if it could be done in a postinit script but I think its too late by the time the postinit stuff is called.

                  Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                  1 Reply Last reply Reply Quote 0
                  • george1421G
                    george1421 Moderator @Tom Elliott
                    last edited by

                    @Tom-Elliott said in Skip Bitlocker detection?:

                    The only change is a minor GUI addition and a little change to the Init fsType script.

                    Do you want me to put in a request for this so we can track it?

                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                    Tom ElliottT G 3 Replies Last reply Reply Quote 0
                    • Tom ElliottT
                      Tom Elliott @george1421
                      last edited by

                      @george1421 the postinit could re source the funcs file at the end.

                      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                      1 Reply Last reply Reply Quote 1
                      • Tom ElliottT
                        Tom Elliott @george1421
                        last edited by

                        @george1421 sure! At least then there’s a way to track.

                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                        1 Reply Last reply Reply Quote 0
                        • S
                          Sebastian Roth Moderator
                          last edited by

                          @george1421 said in Skip Bitlocker detection?:

                          I question this statement and then question the value of bitlocker if you can do this successfully. As long as you are using the tpm chip there should be no value in cloning a bitlocker protected partition unless it will be used to restore back to the same computer. If you are doing a one to many deployment with this image it should fail on every computer you deploy it to because the certificate held in the tpm chip will not match. If you can do this then something is wrong with bitlocker.

                          @gwhiteia Can you please comment on this before we go ahead and change things. This is the basis on why we added the bitlocker check as a hard break in the scripts instead of making it optional. Do you use bitlocker without TPM or how does it work in your case?

                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                          G 1 Reply Last reply Reply Quote 0
                          • G
                            gwhiteia @george1421
                            last edited by

                            @george1421 said in Skip Bitlocker detection?:

                            @Tom-Elliott said in Skip Bitlocker detection?:

                            The only change is a minor GUI addition and a little change to the Init fsType script.

                            Do you want me to put in a request for this so we can track it?

                            Yes, please

                            1 Reply Last reply Reply Quote 0
                            • G
                              gwhiteia @Sebastian Roth
                              last edited by

                              @Sebastian-Roth said in Skip Bitlocker detection?:

                              @george1421 said in Skip Bitlocker detection?:

                              I question this statement and then question the value of bitlocker if you can do this successfully. As long as you are using the tpm chip there should be no value in cloning a bitlocker protected partition unless it will be used to restore back to the same computer. If you are doing a one to many deployment with this image it should fail on every computer you deploy it to because the certificate held in the tpm chip will not match. If you can do this then something is wrong with bitlocker.

                              @gwhiteia Can you please comment on this before we go ahead and change things. This is the basis on why we added the bitlocker check as a hard break in the scripts instead of making it optional. Do you use bitlocker without TPM or how does it work in your case?

                              Yes, we use BL without the TPM

                              1 Reply Last reply Reply Quote 0
                              • S
                                Sebastian Roth Moderator
                                last edited by

                                @gwhiteia said in Skip Bitlocker detection?:

                                Yes, we use BL without the TPM

                                But how?

                                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                G george1421G 2 Replies Last reply Reply Quote 0
                                • G
                                  gwhiteia @Sebastian Roth
                                  last edited by

                                  @Sebastian-Roth said in Skip Bitlocker detection?:

                                  @gwhiteia said in Skip Bitlocker detection?:

                                  Yes, we use BL without the TPM

                                  But how?

                                  We disable TPM in the BIOS prior to building our image and modify a few GPO settings to use passwords instead of PINs

                                  1 Reply Last reply Reply Quote 0
                                  • george1421G
                                    george1421 Moderator @Sebastian Roth
                                    last edited by

                                    @Sebastian-Roth said in Skip Bitlocker detection?:

                                    But how?

                                    If you run bitlocker without TPM you have an option to use a usb key with the certificate installed or with a preboot password that is managed by the uefi boot loader. It is surely not as secure at the tpm route, but if you have no option, you have limited choices.

                                    Some countries may mandate to not use tpm protection.

                                    Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                    1 Reply Last reply Reply Quote 1
                                    • S
                                      Sebastian Roth Moderator
                                      last edited by

                                      @george1421 @gwhiteia Ok, so essentially it means we should not error out when detecting bitlocked partitions. But then we will end up with more people asking why their image is so big.

                                      Printing a warning is of no use because it Just skips past with no one noticing it.

                                      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                      george1421G 1 Reply Last reply Reply Quote 0
                                      • george1421G
                                        george1421 Moderator @Sebastian Roth
                                        last edited by george1421

                                        @Sebastian-Roth The idea as I understand it, there should be a one time flag (akin to debug flag and location) that will allow the FOG Admin to bypass the check. This is for a one-off situation. 99% of the time its proper to warn the FOG Admin that bitlocker is on and he/she should disable it first. For that remaining 1% of the time of the FOG Admin wants to bypass this stop the FOG should let them (i.e. play with matches and a stick of dynamite. “What could go wrong??”)

                                        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!

                                        1 Reply Last reply Reply Quote 0
                                        • S
                                          Sebastian Roth Moderator
                                          last edited by

                                          @george1421 Yeah, you are right. I forgot about this part earlier being discussed here in this topic. We shall look into adding this.

                                          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                          Tom ElliottT 1 Reply Last reply Reply Quote 0
                                          • Tom ElliottT
                                            Tom Elliott @Sebastian Roth
                                            last edited by Tom Elliott

                                            @Sebastian-Roth, @george1421

                                            I have added this “Feature” to 1.6 branch.

                                            I have not added the code to the fos engine stuff, as I’ll leave that up to whomever is building them right now. I don’t have a build environment and we don’t have automated building setup yet (that I am aware of at least)

                                            https://github.com/FOGProject/fogproject/commit/bff919e655d9a239040133466874b19c82562bf9

                                            Essentially, I added the checkbox to bypass bitlocker detection when a capture task is selected. It uses Scheduled Task other5 field to store if this was set or not, and creates a new column for setting this flag in the task.
                                            d47e992c-8c72-4ac2-9352-098e2437bd17-image.png

                                            When this flag is set, it sets the kernel arg bitlockerbypass=1 making it easy enought to look for in the bitlocker check function.

                                            Let me know if you have any other questions.

                                            Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                                            Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                                            Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                                            1 Reply Last reply Reply Quote 2
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post

                                            158

                                            Online

                                            12.3k

                                            Users

                                            17.4k

                                            Topics

                                            155.8k

                                            Posts
                                            Copyright © 2012-2025 FOG Project