• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    Fog and AES-256 Drive Encryption

    Scheduled Pinned Locked Moved
    General
    5
    16
    5.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      need2 Moderator
      last edited by

      If you could limit the encryption to just User folder space then you will have less issues. OS and Program Files do not need to be encrypted, and doing so would actually degrade performance.

      1 Reply Last reply Reply Quote 0
      • J
        Jarli
        last edited by

        The trouble is we image our machines to a base level, and then join them to the domain, and throw them on the shelf to sit until someone needs to swap out. And we want the ability to browse the entire drive, securely by using the application on our support systems.

        The performance hit should be negligible as all that needs to be entered at power on, would be the decryption key and power on password.

        So it’s really a question of, will it work? I’m encrypting a system now and will test with a Raw image upload onto Fog and try to restore.

        I’ll provide an update when its done in a few hours.

        1 Reply Last reply Reply Quote 0
        • Tom ElliottT
          Tom Elliott
          last edited by

          You should not need a “Raw” image format.

          You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.

          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG! Get in contact with me (chat bubble in the top right corner) if you want to join in.

          Web GUI issue? Please check apache error (debian/ubuntu: /var/log/apache2/error.log, centos/fedora/rhel: /var/log/httpd/error_log) and php-fpm log (/var/log/php*-fpm.log)

          Please support FOG if you like it: https://wiki.fogproject.org/wiki/index.php/Support_FOG

          1 Reply Last reply Reply Quote 0
          • J
            Jarli
            last edited by

            When connecting an already encrypted drive to a Windows Machine, the system immediately tells me: “You need to format the disk in drive X: before you can use it.” meaning the entire drive is encrypted.

            Using DiskCryptor to mount the drive (and provided the correct encryption key) I can then view the drive as any other USB device.

            In Windows Disk Management the drive is listed as RAW

            1 Reply Last reply Reply Quote 0
            • N
              need2 Moderator
              last edited by

              I suggest using BitLocker, or at least trying it to see if it it fits your needs better. You should also be able to specify via GPO to have any/all user folders encrypted by machine with BitLocker. That way it wouldn’t matter who you had log in to the laptop, their data would automatically be encrypted within their user folder.

              1 Reply Last reply Reply Quote 0
              • J
                Jarli
                last edited by

                Unfortunately Bitlocker isn’t available for Windows 7 Pro, and we really don’t want to purchase it for all of our computers.

                1 Reply Last reply Reply Quote 0
                • Joseph HalesJ
                  Joseph Hales Testers
                  last edited by

                  I think need2 may be on the better track here especially if it is an AD environment you should be able to control everything via policy and still use re-sizable images or even syspreped universal images. You will want to limit encryption to home directory’s because there is a performance hit whenever you access encrypted data.

                  RTFM

                  1 Reply Last reply Reply Quote 0
                  • N
                    need2 Moderator
                    last edited by

                    You’re right. I was thinking more of EFS. The following is dated, but relevant.

                    [url]https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx[/url]

                    1 Reply Last reply Reply Quote 0
                    • Joseph HalesJ
                      Joseph Hales Testers
                      last edited by

                      Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.

                      RTFM

                      1 Reply Last reply Reply Quote 0
                      • J
                        Jarli
                        last edited by

                        We are running windows 7 professional, and are not going to update to windows 8, windows 10 maybe when it drops.

                        [quote=“Joseph Hales, post: 46729, member: 18131”]Windows 7 ultimate and Enterprise include bitlocker as well as windows 8 and 10.[/quote]

                        1 Reply Last reply Reply Quote 0
                        • Wayne WorkmanW
                          Wayne Workman
                          last edited by

                          [quote=“Tom Elliott, post: 46717, member: 7271”]You should not need a “Raw” image format.

                          You’re encrypting the data on the drive, not the drive itself. So long as the drive is readable as ntfs,ext,etc… you should be fine.[/quote]

                          Yeah. re-sizable, everything. I don’t think there’s a need at all to use RAW for this. Also, the earlier comment about encrypting just the user data is a good one. Win7Pro has built in encryption… you can set it with policy.

                          Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.

                          Please help us build the FOG community with everyone involved. It's not just about coding - way more we need people to test things, update documentation and most importantly work on uniting the community of people enjoying and working on FOG!
                          Daily Clean Installation Results:
                          https://fogtesting.fogproject.us/
                          FOG Reporting:
                          https://fog-external-reporting-results.fogproject.us/

                          1 Reply Last reply Reply Quote 0
                          • N
                            need2 Moderator
                            last edited by

                            [quote=“Wayne Workman, post: 46752, member: 28155”]Also, if you used user-based enumeration shares (windows server 12 and up), you can specify encryption of the redirected user data on the server itself, and have the user files NOT EVEN EXIST on the local machines. That’s how my environment is set up. It’s done through GPOs.[/quote]

                            That too is how we have ours set up. I really, really love not worrying about someone’s files when a drive dies anymore.

                            1 Reply Last reply Reply Quote 0
                            • 1 / 1
                            • First post
                              Last post

                            257

                            Online

                            12.0k

                            Users

                            17.3k

                            Topics

                            155.2k

                            Posts
                            Copyright © 2012-2024 FOG Project