Notifications
Clear all
Topic starter
I know this has been discussed a couple of times:
https://centricityusers.com/?pa.....38;ret=all
and
https://centricityusers.com/?pa.....38;ret=all
But these are a year old, wondering if anyone has feedback to the use of data at rest encryption software for end user computers.
I'd like to hear your feedback of:
1) The software you are using (TruCrypt, Mcafee, Symantec, etc)
2) Is there a significant slowness exhibited with the encryption process while an end user is using the machine?
3) Centralized password management (tied in with Active Directory)
4) Is it easy to deploy?
5) Does it automatically encrypt removable media, such as CD-Rs, USB Memory sticks, external HDD's etc?
6) Was the cost reasonable?
7) Would you buy it again?
Thank you for your time,
Jake Hinkelman
Valley Medical Center
Lewiston, ID
Posted : September 18, 2014 4:51 am
Unfortunately this came up again with our annual SRA a week ago and there is no easy answer. I was told that we should encrypt our servers as well. I don't necessarily agree since all of our servers are virtual and we have a SAN, which is locked/secured in our Data Center. It would not be likely to have someone come in and steal a hard drive or hard drives and get anything useful from them.
On to your questions (hoping some others will provide feedback)
1) The software you are using (TruCrypt, Mcafee, Symantec, etc)
We tried McAffee but settled on TruCrypt but it is now discontinued. Trucrypt and McAffee both require a password be typed in at boot time. McAffee has a cached password mode but was not secure at all. It was possible to break in within 10 minutes. DiskCryptor will likely be my Trucrypt replacement as the project matures.
https://diskcryptor.net/wiki/Main_Page
I think Bitlocker would be best but with the highest cost to the organization. It would integrate Active Directory. You can not buy OEM Windows Enterprise so we would be buying a windows license twice for each machine unless you build your own machines. It kills any hope of doing this in a cost effective manner. Maybe there is hope for Windows 9 upgrades if the start menu is really back this time and it is cheap for businesses (I fear that businesses will likely pay a lot more than $20/each per seat)
2) Is there a significant slowness exhibited with the encryption process while an end user is using the machine?
None that I noticed in my testing with Bitlocker, Trucrypt or McAffee. Intel i5 and i7 processors (among others) have built in hardware cryptography extensions which do parallel processing for this purpose.
https://en.wikipedia.org/wiki/AES_instruction_set
3) Centralized password management (tied in with Active Dirctory)
As far as I know, Bitlocker is the only one which will do this. McAffee will cache the password but it is available to be hacked in to very easily.
4) Is it easy to deploy?
Bitlocker is easiest to deploy with Group Policy. McAfee/TruCrypt are installed individually and harder to manage. We have already had to rebuild more than one laptop with forgotten password.
5) Does it automatically encrypt removable media, such as CD-Rs, USB Memory sticks, external HDD's etc?
I don't really have an answer to this one. The word "automatically" is throwing me a curve. I know you can do it, but it is not without an additional step in TruCrypt. Did not try McAffee or Bitlocker.
6) Was the cost reasonable?
TruCrypt was free
7) Would you buy it again?
I would buy Windows 7 Enterprise/Ultimate with every new computer if it was reasonable. Currently it is not.
McAffee does not give you any more than what TruCrypt does so it is not worth it.
Mike Zavolas
Tallahassee Neurological Clinic
Posted : September 29, 2014 4:26 am
Topic starter
Hi Mike,
I appreciate your feedback. With your suggestions, I'm looking into the M$ Bitlocker option as we bit the bullet and purchased SA on our Windows Laptops allowing us to use Windows 7 Enterprise. But this alone does not allow management of Bitlocker (MBAM)?. This seems to require MDOP (subscription based), unless Bitlocker is still able to be controlled through Group Policy without MBAM. I haven't received final numbers on MDOP yet.
The challenge I'm finding with Bitlocker is that Windows Enterprise is not an in-place upgrade from Windows 7 Pro, though there are sites that describe of modifying a registry key and doing an in-place upgrade with the Windows Enterprise media and Enterprise key to trick it into upgrading it. If there were issues, I'm sure it would not be supported by M$ if any issues cropped up.
A colleague mentioned WinMagic as an option as well, but I haven't dug into this yet.
Again, thanks for your time in answering, hopefully we'll see a few more post up.
Jake
Posted : September 29, 2014 10:11 am
We have the following encryption options in place:
BitLocker
- We used Windows Anytime upgrade to upgrade an HP notebook computer (Folio) from Windows 7 Professional to Windows 7 Ultimate. The upgrade process was straight forward (essentially entering the new key) and did not require reinstalling Windows.
- The HP notebook computer has a TPM chip:
http://windows.microsoft.com/e.....n-Overview - Encryption is transparent to the user. No difference is logging in (just the Windows logon) and no noticeable difference in performance (it does have an SSD).
- At times the full BitLocker encryption key (16 characters I think) needs to be entered. I'm not exactly sure what triggers the request for the full key. We have gone several months without having to enter the BitLocker key.
TrueCrypt
- We used a Windows 7 Professional volume license to upgrade a Windows XP computer. We did not find a way to get Windows Anytime Upgrade to work, so we used TrueCrypt.
- Two logins are required (TrueCrypt and Windows).
- No noticeable difference in performance (regular hard drive)
OS X FileVault 2
- Included with OS X
- Encryption is transparent to the user. No difference is logging in (just the Windows logon) and no noticeable difference in performance (it does have an SSD).
HP Protect Tools
- Included with many HP business computers (was not included with the HP Folio).
- I'm using it on an HP EliteBook 850
- No noticeable difference in performance (however, SSD and self-encrypting drive)
- Two logins are required; however, it also has a fingerprint reader.
- A single logon is possible, but that is less secure.
- HP Protect Tools is a branded third-party solution (can't remember which one). I believe the encryption can be centrally managed (additional purchase required).
These are not mass deployed.
TrueCrypt would be my last choice because the user experience is not the best and TrueCrypt development and support is uncertain at this time (from what I know).
BitLocker provides the best user experience (except for the rare times when the full key is needed).
For just a few computers (no central management) HP Protect Tools works fine (no added cost).
Posted : October 1, 2014 3:15 pm
Jonathan said:
BitLocker provides the best user experience (except for the rare times when the full key is needed).
Jonathan (Thanks for the feedback), under which circumstances would a user be prompted for a full key? Is this just at installation or does it happen sometimes unexpectedly? Also, is the key the same for all workstations on your domain?
Are you encrypting workstations in your office or just laptops? Servers? Are you a think or thin environment?
Mike Zavolas
Tallahassee Neurological Clinic
Posted : October 2, 2014 3:34 am
The prompts occurred a few times after installation. I'm not sure exactly what triggers the prompts for the full key. Any changes to the boot process seem to trigger the prompt. Over the past several months we have installed software, installed printers, and installed Windows updates without triggering the prompt.
We only have one BitLocker computer, so I don't know how the recovery key works when managed from the domain.
Right now we are encrypting mobile devices. We also have encrypted flash drives. We are encrypting backups (server, archive drives, etc...). We are not yet encrypting desktop computers or servers. Around 80% of the of the employees use thin clients.
Posted : October 2, 2014 3:55 am
Topic starter
Thanks for your input Jonathan,
I'm sure you've come across this article as well, but here is an article relating to common reasons Bitlocker will request the recovery key (It is dated 2010, but probably still applies):
http://blogs.technet.com/b/ask.....ution.aspx
Jake
Posted : October 2, 2014 4:40 am
Topic starter
Thanks for everyone's input here. We decided to go with Bitlocker. All of our laptops have the TPM chip version 1.2, so that is nice. I'm contemplating the MDOP addon which is roughly $10 per device per year which has Bitlocker Administration (MBAM). Hopefully they allow a demo before buying the software.
I found a forum post that showed a method to upgrade to Windows 7 Ent from Win 7 Pro without having to re-install the OS from scratch, or image each machine. I've tried it and it has worked so far, even on my desktop computer. The longest part of the upgrade is re-installing all of the windows updates again. Feel free to try it yourself if you have Windows Enterprise licensing by following post #9 at http://www.sevenforums.com/installation-setup/194769-upgrade-7-pro-7-enterprise.html . I would recommend trying on a spare, or test computer first to familiarize yourself with the process. It does take time, but once given back to the provider or staff, the windows profile is intact so no downtime on their part setting their profile back up. Remember to backup either the entire computer using windows backup, or just the important pieces (ie: user profile and any other folders of importance to your organization)
Thanks,
Jake
Posted : November 14, 2014 7:40 pm
