Why BitLocker with USB key on a server?
-
I'm looking at a server where they BitLockered it and stored the password on a USB key. Does it provide any additional security if the USB key is left plugged in to the server?
-
@Mike-Davis said in BitLocker with USB key:
I'm looking at a server where they BitLockered it and stored the password on a USB key. Does it provide any additional security if the USB key is left plugged in to the server?
I've not spent any real time with Bitlocker - but if the key is connected to the computer it is for, that computer is 'open' I would think.
That doesn't seem secure.
-
So there was no TPM?
-
@Mike-Davis said in Why BitLocker with USB key on a server?:
I'm looking at a server where they BitLockered it and stored the password on a USB key. Does it provide any additional security if the USB key is left plugged in to the server?
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
-
@gjacobse said in Why BitLocker with USB key on a server?:
@Mike-Davis said in BitLocker with USB key:
I'm looking at a server where they BitLockered it and stored the password on a USB key. Does it provide any additional security if the USB key is left plugged in to the server?
I've not spent any real time with Bitlocker - but if the key is connected to the computer it is for, that computer is 'open' I would think.
That doesn't seem secure.
Like most encryption, someone following the word of the law and not the intent.
-
@Dashrender said in Why BitLocker with USB key on a server?:
So there was no TPM?
No TPM as far as I can see.
-
@scottalanmiller said in Why BitLocker with USB key on a server?:
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
This is what I thought.
I'm tasked with building a new server and I don't see the need for encrypted drives.
-
@Mike-Davis said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
This is what I thought.
I'm tasked with building a new server and I don't see the need for encrypted drives.
Almost never is. It's so hard to make it useful without crippling real world usage.
-
@scottalanmiller said in Why BitLocker with USB key on a server?:
@Mike-Davis said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
This is what I thought.
I'm tasked with building a new server and I don't see the need for encrypted drives.
Almost never is. It's so hard to make it useful without crippling real world usage.
You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)
In "real world usage" how often is a server rebooted?
Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.
-
@BRRABill said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
@Mike-Davis said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
This is what I thought.
I'm tasked with building a new server and I don't see the need for encrypted drives.
Almost never is. It's so hard to make it useful without crippling real world usage.
You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)
In "real world usage" how often is a server rebooted?
Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.
Well in the real world.... is where we have a failure right here.
-
@scottalanmiller said in Why BitLocker with USB key on a server?:
@BRRABill said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
@Mike-Davis said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
Nope. Same as not being encrypted - except in the case where they physically steal drives but not the server or the key.
This is what I thought.
I'm tasked with building a new server and I don't see the need for encrypted drives.
Almost never is. It's so hard to make it useful without crippling real world usage.
You and I always quibble over this. I know you think that users won't be bothered not leave the USB key plugged in. (Just removing it and securing it is all you need.)
In "real world usage" how often is a server rebooted?
Now, if you DID have to reboot the server at an inopportune time, yes, not having access to that USB key would be troublesome. However with iDrac you could also use a recovery key remotely if needed.
Well in the real world.... is where we have a failure right here.
But why?
Were they ever told ... hey lock that up? Or were they just lazy.
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
-
@BRRABill said in Why BitLocker with USB key on a server?:
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.
-
@scottalanmiller said in Why BitLocker with USB key on a server?:
@BRRABill said in Why BitLocker with USB key on a server?:
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.
Once a week?
-
@BRRABill said in Why BitLocker with USB key on a server?:
@scottalanmiller said in Why BitLocker with USB key on a server?:
@BRRABill said in Why BitLocker with USB key on a server?:
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
Other than if the server reboots, which it should at least once a week, it would not come back up and that would be that. Outages aren't minor.
Once a week?
Or more, yes of course. There are exceptions, but very rare.
http://www.smbitjournal.com/2011/02/why-we-reboot-servers/
http://www.datamation.com/datbus/article.php/3909071/Should-Servers-Be-Rebooted.htm -
@scottalanmiller said
Or more, yes of course. There are exceptions, but very rare.
I never patch so it's not a concern.
(KIDDDDING!!! FLAME THROWERS DOWN PEOPLE!)
-
@BRRABill said in Why BitLocker with USB key on a server?:
@scottalanmiller said
Or more, yes of course. There are exceptions, but very rare.
I never patch so it's not a concern.
OMG. . .
-
@BRRABill said in Why BitLocker with USB key on a server?:
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
I'm a MSP, so I'm not onsite. 3:00 AM automatic update server reboot would cause problems in the morning.
-
@Mike-Davis said in Why BitLocker with USB key on a server?:
I'm a MSP, so I'm not onsite.
"And" not onsite. Being MSP doesn't imply remote and being on staff doesn't imply on site.
-
@Mike-Davis said in Why BitLocker with USB key on a server?:
@BRRABill said in Why BitLocker with USB key on a server?:
My point is the if @Mike-Davis took that USB key out, what issues would it really cause? In reality, very few.
I'm a MSP, so I'm not onsite. 3:00 AM automatic update server reboot would cause problems in the morning.
What? You can't set an alarm?
[winking emoji]
-
Also who the hell updates shit at 3am?
All my clients have backups running at 6-7pm and updates around 9 or 10.
Why the hell wait to find out shit is broke in the morning. No one is left in the office after 7.