• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

Fog and AES-256 Drive Encryption

Scheduled Pinned Locked Moved
General
5
16
5.1k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    need2 Moderator
    last edited by May 4, 2015, 5:06 PM

    Restoring onto the same hardware shouldn’t be a problem, but there may be issues restoring across devices. I do not know from experience though.

    1 Reply Last reply Reply Quote 0
    • T
      Tom Elliott
      last edited by May 4, 2015, 5:11 PM

      The way FOG captures the image, I don’t think will create any problems if you’re uploading/downloading data that’s encrypted. If the entirety of the disk is encrypted this may be an issue.

      The issue, after that, I think, would be the download to other disks, as essentially the encryption being used would be the same from one system to the next as the key is just a replicated instance.

      Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

      Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

      Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

      1 Reply Last reply Reply Quote 0
      • J
        Jarli
        last edited by May 4, 2015, 5:20 PM

        He’s not to concerned about the same encryption key or phrase being used just so that we have an additional layer of security. A power on password only stops the laptop from getting powered on. Encrypting the drive (and our base image) would at least obscure the information on the drive. Preventing intellectual theft of anything on the system.

        And since 99% of our staff have laptops, a baseline of encryption, that is uniform across the company is most easily managed using 1 encryption key or pass-phrase, albeit it’s less secure.

        But the entire disk is / will be encrypted. Any more input?

        1 Reply Last reply Reply Quote 0
        • N
          need2 Moderator
          last edited by May 4, 2015, 5:31 PM

          If you could limit the encryption to just User folder space then you will have less issues. OS and Program Files do not need to be encrypted, and doing so would actually degrade performance.

          1 Reply Last reply Reply Quote 0
          • J
            Jarli
            last edited by May 4, 2015, 5:34 PM

            The trouble is we image our machines to a base level, and then join them to the domain, and throw them on the shelf to sit until someone needs to swap out. And we want the ability to browse the entire drive, securely by using the application on our support systems.

            The performance hit should be negligible as all that needs to be entered at power on, would be the decryption key and power on password.

            So it’s really a question of, will it work? I’m encrypting a system now and will test with a Raw image upload onto Fog and try to restore.

            I’ll provide an update when its done in a few hours.

            1 Reply Last reply Reply Quote 0
            • T
              Tom Elliott
              last edited by May 4, 2015, 5:43 PM

              You should not need a “Raw” image format.

              You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.

              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

              Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

              Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

              1 Reply Last reply Reply Quote 0
              • J
                Jarli
                last edited by May 4, 2015, 5:52 PM

                When connecting an already encrypted drive to a Windows Machine, the system immediately tells me: “You need to format the disk in drive X: before you can use it.” meaning the entire drive is encrypted.

                Using DiskCryptor to mount the drive (and provided the correct encryption key) I can then view the drive as any other USB device.

                In Windows Disk Management the drive is listed as RAW

                1 Reply Last reply Reply Quote 0
                • N
                  need2 Moderator
                  last edited by May 4, 2015, 6:07 PM

                  I suggest using BitLocker, or at least trying it to see if it it fits your needs better. You should also be able to specify via GPO to have any/all user folders encrypted by machine with BitLocker. That way it wouldn’t matter who you had log in to the laptop, their data would automatically be encrypted within their user folder.

                  1 Reply Last reply Reply Quote 0
                  • J
                    Jarli
                    last edited by May 4, 2015, 6:08 PM

                    Unfortunately Bitlocker isn’t available for Windows 7 Pro, and we really don’t want to purchase it for all of our computers.

                    1 Reply Last reply Reply Quote 0
                    • J
                      Joseph Hales Testers
                      last edited by May 4, 2015, 6:19 PM

                      I think need2 may be on the better track here especially if it is an AD environment you should be able to control everything via policy and still use re-sizable images or even syspreped universal images. You will want to limit encryption to home directory’s because there is a performance hit whenever you access encrypted data.

                      RTFM

                      1 Reply Last reply Reply Quote 0
                      • N
                        need2 Moderator
                        last edited by May 4, 2015, 6:22 PM

                        You’re right. I was thinking more of EFS. The following is dated, but relevant.

                        [url]https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx[/url]

                        1 Reply Last reply Reply Quote 0
                        • J
                          Joseph Hales Testers
                          last edited by May 4, 2015, 6:28 PM

                          Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.

                          RTFM

                          1 Reply Last reply Reply Quote 0
                          • J
                            Jarli
                            last edited by May 4, 2015, 6:36 PM

                            We are running windows 7 professional, and are not going to update to windows 8, windows 10 maybe when it drops.

                            [quote=“Joseph Hales, post: 46729, member: 18131”]Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.[/quote]

                            1 Reply Last reply Reply Quote 0
                            • W
                              Wayne Workman
                              last edited by May 4, 2015, 9:41 PM

                              [quote=“Tom Elliott, post: 46717, member: 7271”]You should not need a “Raw” image format.

                              You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.[/quote]

                              Yeah. re-sizable, everything. I don’t think there’s a need at all to use RAW for this. Also, the earlier comment about encrypting just the user data is a good one. Win7Pro has built in encryption… you can set it with policy.

                              Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.

                              Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                              Daily Clean Installation Results:
                              https://fogtesting.fogproject.us/
                              FOG Reporting:
                              https://fog-external-reporting-results.fogproject.us/

                              1 Reply Last reply Reply Quote 0
                              • N
                                need2 Moderator
                                last edited by May 4, 2015, 11:07 PM

                                [quote=“Wayne Workman, post: 46752, member: 28155”]Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.[/quote]

                                That too is how we have ours set up. I really, really love not worrying about someone’s files when a drive dies anymore.

                                1 Reply Last reply Reply Quote 0
                                • 1 / 1
                                1 / 1
                                • First post
                                  11/16
                                  Last post

                                202

                                Online

                                12.1k

                                Users

                                17.3k

                                Topics

                                155.3k

                                Posts
                                Copyright © 2012-2024 FOG Project