• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Fog and AES-256 Drive Encryption

Scheduled Pinned Locked Moved
General
5
16
5.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    Jarli
    last edited by May 4, 2015, 4:58 PM

    We are looking to start encrypting our mobile employees, sales staff mostly (using DiskCrytor)

    My Boss would like to expand this to be our standard, which I am all for, my question is, will the RAW format image properly pull all of the details needed so I can backup and restore equipment as it comes in or goes out?

    1 Reply Last reply Reply Quote 0
    • N
      need2 Moderator
      last edited by May 4, 2015, 5:06 PM

      Restoring onto the same hardware shouldn’t be a problem, but there may be issues restoring across devices. I do not know from experience though.

      1 Reply Last reply Reply Quote 0
      • T
        Tom Elliott
        last edited by May 4, 2015, 5:11 PM

        The way FOG captures the image, I don’t think will create any problems if you’re uploading/downloading data that’s encrypted. If the entirety of the disk is encrypted this may be an issue.

        The issue, after that, I think, would be the download to other disks, as essentially the encryption being used would be the same from one system to the next as the key is just a replicated instance.

        Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

        Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

        Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

        1 Reply Last reply Reply Quote 0
        • J
          Jarli
          last edited by May 4, 2015, 5:20 PM

          He’s not to concerned about the same encryption key or phrase being used just so that we have an additional layer of security. A power on password only stops the laptop from getting powered on. Encrypting the drive (and our base image) would at least obscure the information on the drive. Preventing intellectual theft of anything on the system.

          And since 99% of our staff have laptops, a baseline of encryption, that is uniform across the company is most easily managed using 1 encryption key or pass-phrase, albeit it’s less secure.

          But the entire disk is / will be encrypted. Any more input?

          1 Reply Last reply Reply Quote 0
          • N
            need2 Moderator
            last edited by May 4, 2015, 5:31 PM

            If you could limit the encryption to just User folder space then you will have less issues. OS and Program Files do not need to be encrypted, and doing so would actually degrade performance.

            1 Reply Last reply Reply Quote 0
            • J
              Jarli
              last edited by May 4, 2015, 5:34 PM

              The trouble is we image our machines to a base level, and then join them to the domain, and throw them on the shelf to sit until someone needs to swap out. And we want the ability to browse the entire drive, securely by using the application on our support systems.

              The performance hit should be negligible as all that needs to be entered at power on, would be the decryption key and power on password.

              So it’s really a question of, will it work? I’m encrypting a system now and will test with a Raw image upload onto Fog and try to restore.

              I’ll provide an update when its done in a few hours.

              1 Reply Last reply Reply Quote 0
              • T
                Tom Elliott
                last edited by May 4, 2015, 5:43 PM

                You should not need a “Raw” image format.

                You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.

                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

                Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

                Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

                1 Reply Last reply Reply Quote 0
                • J
                  Jarli
                  last edited by May 4, 2015, 5:52 PM

                  When connecting an already encrypted drive to a Windows Machine, the system immediately tells me: “You need to format the disk in drive X: before you can use it.” meaning the entire drive is encrypted.

                  Using DiskCryptor to mount the drive (and provided the correct encryption key) I can then view the drive as any other USB device.

                  In Windows Disk Management the drive is listed as RAW

                  1 Reply Last reply Reply Quote 0
                  • N
                    need2 Moderator
                    last edited by May 4, 2015, 6:07 PM

                    I suggest using BitLocker, or at least trying it to see if it it fits your needs better. You should also be able to specify via GPO to have any/all user folders encrypted by machine with BitLocker. That way it wouldn’t matter who you had log in to the laptop, their data would automatically be encrypted within their user folder.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Jarli
                      last edited by May 4, 2015, 6:08 PM

                      Unfortunately Bitlocker isn’t available for Windows 7 Pro, and we really don’t want to purchase it for all of our computers.

                      1 Reply Last reply Reply Quote 0
                      • J
                        Joseph Hales Testers
                        last edited by May 4, 2015, 6:19 PM

                        I think need2 may be on the better track here especially if it is an AD environment you should be able to control everything via policy and still use re-sizable images or even syspreped universal images. You will want to limit encryption to home directory’s because there is a performance hit whenever you access encrypted data.

                        RTFM

                        1 Reply Last reply Reply Quote 0
                        • N
                          need2 Moderator
                          last edited by May 4, 2015, 6:22 PM

                          You’re right. I was thinking more of EFS. The following is dated, but relevant.

                          [url]https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx[/url]

                          1 Reply Last reply Reply Quote 0
                          • J
                            Joseph Hales Testers
                            last edited by May 4, 2015, 6:28 PM

                            Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.

                            RTFM

                            1 Reply Last reply Reply Quote 0
                            • J
                              Jarli
                              last edited by May 4, 2015, 6:36 PM

                              We are running windows 7 professional, and are not going to update to windows 8, windows 10 maybe when it drops.

                              [quote=“Joseph Hales, post: 46729, member: 18131”]Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.[/quote]

                              1 Reply Last reply Reply Quote 0
                              • W
                                Wayne Workman
                                last edited by May 4, 2015, 9:41 PM

                                [quote=“Tom Elliott, post: 46717, member: 7271”]You should not need a “Raw” image format.

                                You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.[/quote]

                                Yeah. re-sizable, everything. I don’t think there’s a need at all to use RAW for this. Also, the earlier comment about encrypting just the user data is a good one. Win7Pro has built in encryption… you can set it with policy.

                                Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.

                                Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                                Daily Clean Installation Results:
                                https://fogtesting.fogproject.us/
                                FOG Reporting:
                                https://fog-external-reporting-results.fogproject.us/

                                1 Reply Last reply Reply Quote 0
                                • N
                                  need2 Moderator
                                  last edited by May 4, 2015, 11:07 PM

                                  [quote=“Wayne Workman, post: 46752, member: 28155”]Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.[/quote]

                                  That too is how we have ours set up. I really, really love not worrying about someone’s files when a drive dies anymore.

                                  1 Reply Last reply Reply Quote 0
                                  • 1 / 1
                                  1 / 1
                                  • First post
                                    3/16
                                    Last post

                                  187

                                  Online

                                  12.0k

                                  Users

                                  17.3k

                                  Topics

                                  155.2k

                                  Posts
                                  Copyright © 2012-2024 FOG Project