BitLocker compatibility
-
I’ve noticed available tools for image managin (
partcloneandpartimage) aren’t able to take an image of a disk with BitLocker enabled, I’ve seen that you could usemanage-bdein CMD orDisable-BitLocker/Suspend-BitLockerto disable temporarily BitLocker and take the image. However I’m wondering if this process might be automated by the FOG client or I could provide FOG my BitLocker recovery key to make this process of take images of encrypted disk more automatic.Thank you very much
-
@jfernandz Actually bitlocker fde (full disk encryption) was developed to prevent what you are trying to do. I don’t remember if the developers put a stop point in the code if fde is detected but technically FOG will copy a bitlocker protected disk, but it will do it in raw mode. The issue you will have if fog cloned the disk image is that bitlocker encrypts the disk with a key that is held in the TPM chip. So even if FOG cloned the disk, the data would not be able to be used because the TPM keys would not match. This prevents cloning or accessing data on protected media.
For the data to be cloned and usable afterwards you must decrypt the drive before cloning. -
@george1421 than you for your answer, you’re always willing to help
What about the point of implementing, for example,
Suspend-BitLockerin the FOG client side?
The TPM point is a good one, but … almost all machines we work with have an “easily” accessible/replaceable TPM hardware module, could just we restore some disk image in a new machine with the TPM of the old one? Would this work?
-
@jfernandz said in BitLocker compatibility:
The TPM point is a good one, but … almost all machines we work with have an “easily” accessible/replaceable TPM hardware module, could just we restore some disk image in a new machine with the TPM of the old one? Would this work?
-Or- just decrypt your golden/mother image before image capture, then either have the unattend.xml or gpo policy encrypt the drive when it hits the target computer hardware? Don’t make it harder on yourself than needed. I’m sure your users are willing to do that to you for free.
-
@george1421 oh, that will be our best alternative for now, sure
Anyway I was just trying to think in some possible feature FOG client could implement regarding this, maybe I’ll be willing in the future to contribute to the project though not sure right now if Suspend-Bitlockerwill require some kind of authentication -
Regarding this point … Now I’m thinking in
cryptsetupandLUKS. I’ve noticed CloneZilla is able to ask you for a LUKS volume passphrase to decrypt it before taking the image, may FOG do the same? Apparently with default options FOG just takes the image in raw format, but is there some way to make FOG act like CloneZilla?Thanks again and sorry for bringing up this topic again.
-
@jfernandz Technically anything is possible, if you want to take a go at it sure. I doubt this will fix the issue for bitlocker though.
-
@Tom-Elliott Well, sure about the bitlocker point. Regarding the LUKS point I wasn’t actually asking if it’s technically possible, but rather if this feature is currently implemented (partclone/partimage asking your for the LUKS passphrase)
-
@jfernandz No, it’s not being implemented at all currently. If you want to take a stab at it, please feel free. I don’t know what it would entail and I am fairly confident no one else within the FOG Dev team is currently trying to implement such a feature.