Fog and AES-256 Drive Encryption

Jarli · May 4, 2015, 4:58 PM

We are looking to start encrypting our mobile employees, sales staff mostly (using DiskCrytor)

My Boss would like to expand this to be our standard, which I am all for, my question is, will the RAW format image properly pull all of the details needed so I can backup and restore equipment as it comes in or goes out?

need2 · May 4, 2015, 5:06 PM

Restoring onto the same hardware shouldn’t be a problem, but there may be issues restoring across devices. I do not know from experience though.

Tom Elliott · May 4, 2015, 5:11 PM

The way FOG captures the image, I don’t think will create any problems if you’re uploading/downloading data that’s encrypted. If the entirety of the disk is encrypted this may be an issue.

The issue, after that, I think, would be the download to other disks, as essentially the encryption being used would be the same from one system to the next as the key is just a replicated instance.

Jarli · May 4, 2015, 5:20 PM

He’s not to concerned about the same encryption key or phrase being used just so that we have an additional layer of security. A power on password only stops the laptop from getting powered on. Encrypting the drive (and our base image) would at least obscure the information on the drive. Preventing intellectual theft of anything on the system.

And since 99% of our staff have laptops, a baseline of encryption, that is uniform across the company is most easily managed using 1 encryption key or pass-phrase, albeit it’s less secure.

But the entire disk is / will be encrypted. Any more input?

need2 · May 4, 2015, 5:31 PM

If you could limit the encryption to just User folder space then you will have less issues. OS and Program Files do not need to be encrypted, and doing so would actually degrade performance.

Jarli · May 4, 2015, 5:34 PM

The trouble is we image our machines to a base level, and then join them to the domain, and throw them on the shelf to sit until someone needs to swap out. And we want the ability to browse the entire drive, securely by using the application on our support systems.

The performance hit should be negligible as all that needs to be entered at power on, would be the decryption key and power on password.

So it’s really a question of, will it work? I’m encrypting a system now and will test with a Raw image upload onto Fog and try to restore.

I’ll provide an update when its done in a few hours.

Tom Elliott · May 4, 2015, 5:43 PM

You should not need a “Raw” image format.

You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.

Jarli · May 4, 2015, 5:52 PM

When connecting an already encrypted drive to a Windows Machine, the system immediately tells me: “You need to format the disk in drive X: before you can use it.” meaning the entire drive is encrypted.

Using DiskCryptor to mount the drive (and provided the correct encryption key) I can then view the drive as any other USB device.

In Windows Disk Management the drive is listed as RAW

need2 · May 4, 2015, 6:07 PM

I suggest using BitLocker, or at least trying it to see if it it fits your needs better. You should also be able to specify via GPO to have any/all user folders encrypted by machine with BitLocker. That way it wouldn’t matter who you had log in to the laptop, their data would automatically be encrypted within their user folder.

Jarli · May 4, 2015, 6:08 PM

Unfortunately Bitlocker isn’t available for Windows 7 Pro, and we really don’t want to purchase it for all of our computers.

Joseph Hales · May 4, 2015, 6:19 PM

I think need2 may be on the better track here especially if it is an AD environment you should be able to control everything via policy and still use re-sizable images or even syspreped universal images. You will want to limit encryption to home directory’s because there is a performance hit whenever you access encrypted data.

need2 · May 4, 2015, 6:22 PM

You’re right. I was thinking more of EFS. The following is dated, but relevant.

[url]https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx[/url]

Joseph Hales · May 4, 2015, 6:28 PM

Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.

Jarli · May 4, 2015, 6:36 PM

We are running windows 7 professional, and are not going to update to windows 8, windows 10 maybe when it drops.

[quote=“Joseph Hales, post: 46729, member: 18131”]Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.[/quote]

Wayne Workman · May 4, 2015, 9:41 PM

[quote=“Tom Elliott, post: 46717, member: 7271”]You should not need a “Raw” image format.

You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.[/quote]

Yeah. re-sizable, everything. I don’t think there’s a need at all to use RAW for this. Also, the earlier comment about encrypting just the user data is a good one. Win7Pro has built in encryption… you can set it with policy.

Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.

need2 · May 4, 2015, 11:07 PM

[quote=“Wayne Workman, post: 46752, member: 28155”]Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.[/quote]

That too is how we have ours set up. I really, really love not worrying about someone’s files when a drive dies anymore.

Fog and AES-256 Drive Encryption

146

12.1k

17.3k

155.3k