BitLocker compatibility
-
I’ve noticed available tools for image managin (
partcloneandpartimage) aren’t able to take an image of a disk with BitLocker enabled, I’ve seen that you could usemanage-bdein CMD orDisable-BitLocker/Suspend-BitLockerto disable temporarily BitLocker and take the image. However I’m wondering if this process might be automated by the FOG client or I could provide FOG my BitLocker recovery key to make this process of take images of encrypted disk more automatic.Thank you very much
-
@jfernandz Actually bitlocker fde (full disk encryption) was developed to prevent what you are trying to do. I don’t remember if the developers put a stop point in the code if fde is detected but technically FOG will copy a bitlocker protected disk, but it will do it in raw mode. The issue you will have if fog cloned the disk image is that bitlocker encrypts the disk with a key that is held in the TPM chip. So even if FOG cloned the disk, the data would not be able to be used because the TPM keys would not match. This prevents cloning or accessing data on protected media.
For the data to be cloned and usable afterwards you must decrypt the drive before cloning. -
@george1421 than you for your answer, you’re always willing to help
What about the point of implementing, for example,
Suspend-BitLockerin the FOG client side?
The TPM point is a good one, but … almost all machines we work with have an “easily” accessible/replaceable TPM hardware module, could just we restore some disk image in a new machine with the TPM of the old one? Would this work?
-
@jfernandz said in BitLocker compatibility:
The TPM point is a good one, but … almost all machines we work with have an “easily” accessible/replaceable TPM hardware module, could just we restore some disk image in a new machine with the TPM of the old one? Would this work?
-Or- just decrypt your golden/mother image before image capture, then either have the unattend.xml or gpo policy encrypt the drive when it hits the target computer hardware? Don’t make it harder on yourself than needed. I’m sure your users are willing to do that to you for free.
-
@george1421 oh, that will be our best alternative for now, sure
Anyway I was just trying to think in some possible feature FOG client could implement regarding this, maybe I’ll be willing in the future to contribute to the project though not sure right now if Suspend-Bitlockerwill require some kind of authentication
