Solved supporting an office of computers with full drive encryption
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Ya, I don't believe how many people I've seen use super long passwords and not password protect the boot loader. All I need is "rd.break" and I'm in.
I guess it also helps mitigate mistakes by admins. If you don't have fully automated builds like happens a lot in smaller environments, there are a lot of variables that can make a difference.
It's kind of a toss up in that case, the fear is that the machine will go without being patched and then be vulnerable and get compromised that way.
-
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@stacksofplates said in supporting an office of computers with full drive encryption:
There isn't anything that protects against this other than BIOS, which isn't OS security.
For example, if I encrypt the full drive but leave BIOS open (or they steal the disk), they can boot to recovery but will gain nothing. They can't get into the disk without the key. It's still protecting you from breaking into the box because they can't get anything on the disk at all if its fully encrypted.
If you restrict recovery and boot options and make it obvious that the case has been opened... how would partial disk encryption not provide that protection as well?
It probably would. There are some unknowns like whether system restore points would have any of this data in them and people can accidentally move data to the unencrypted partition/drive.
I'm also coming at this from the angle of where I work. There are some legit concerns with our data so our systems are required for full disk encryption and any information like that isn't on laptops. Boot loader is password protected and BIOS is locked down. Even USB ports are disabled and kernel modules are removed.
Right, well I'm assuming that boot loader and all that is locked down here too, or there is too much risk regardless.
Which is again why Open Source is important. Things like system restore having this data would be understood.
Maybe it already is and I just don't know. Not a Windows admin.
Yup, sounds like they are just using the wrong tool(s) for the job at hand.
-
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
-
@Mike-Davis said in supporting an office of computers with full drive encryption:
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
Yeah, definitely some for sure.
-
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
Yeah, definitely some for sure.
But potentially tiny amounts if you tell them that they must be present for any reboots you need to make.
-
@JaredBusch said in supporting an office of computers with full drive encryption:
@scottalanmiller said in supporting an office of computers with full drive encryption:
@Mike-Davis said in supporting an office of computers with full drive encryption:
@wrx7m said in supporting an office of computers with full drive encryption:
I saw this marked as solved but can't seem to find the post that mentions the solution/what the OP ended up doing.
I was wondering how much time it would add to my job if I took on a client that was using full disk encryption. After a few posts it was clear that it would be additional overhead.
Yeah, definitely some for sure.
But potentially tiny amounts if you tell them that they must be present for any reboots you need to make.
Possibly. They might be okay with that.
