Windows 7 Thread, BitLocker on laptops in Technical; Just wondering if anyone has used BitLocker on staff-issued laptops? We're going to encrypt all of ours and just ordered ...
7th February 2011, 03:42 PM #1
BitLocker on laptops
Just wondering if anyone has used BitLocker on staff-issued laptops? We're going to encrypt all of ours and just ordered some cheap USB sticks to hold the encryption key as I somehow doubt they have TPM onboard
Would be interested to know how much of a hit it has on performance and if there's any compatibility issues anyone's encountered?
7th February 2011, 03:52 PM #2
Works very well apart from staff losing the USB keys
Make sure you keep a copy of the backup key from the usb key and also check that the recovery key is being stored in active directory.
You need to have some firm policies in place, such as not keeping the usb key in the laptop bag. Also, when (not if) a memeber of staff loses their usb key you really need to be re-encrypting the hard drive with a new encryption key. If they just break their key then just copy the encryption key onto a new usb stick.
7th February 2011, 03:57 PM #3
These laptops aren't part of the domain (issued for home use and never see the network) so we're going to keep records of the keys for each laptop on record (file stored on the network and paper documentation).
Yup we'll be making it part of the loan scheme that the USB key is never stored with the laptop, will try and get them to put the USB on their main keys when booking out to make sure
7th February 2011, 04:01 PM #4
How are they going to back up any work on them and how are you going to ensure the backup is encrypted?
7th February 2011, 04:06 PM #5
Tbh I don't think many have ever been backed up but you make a good point about the use of USB sticks etc. Would be easy enough to control on network managed machines but not so sure about these ones. I think the next stage is encrypted USB sticks but haven't got those yet...
7th February 2011, 04:08 PM #6
Have the laptops already been partitioned accordingly, i.e. with the 1.5Gb system partition? If not then you're going to have to format as you may already know.
Also, my understanding of BitLocker is that it will hit the performance but if the laptops aren't used for anything that rely on fast performance I can't see it being an issue. Could be worth looking into EFS for folder encryption if there's only a select few files that really need encrypting. Unless you're worried about the pagefile and whatnot.
7th February 2011, 04:17 PM #7
Yup they need to be completely reformatted anyway, the plus point of doing it with BitLocker is that it doesn't rely on people storing files in the right place... anywhere on the HD will be encrypted... can't get much easier than that
7th February 2011, 04:25 PM #8
That's true but on the other hand they don't have to rely on a USB to do any work at all, if they lose it on a weekend and can't see you for a day or two it's pretty much a brick in the meantime. It's one of those pros vs cons things isn't it. Ideally I'd love to BitLocker all our laptops here but I know without a doubt that USBs would be constantly lost or left with the laptop itself out of convenience. Either way it's a headache we could do without though I appreciate that sometimes you really do need this level of security.
Originally Posted by gshaw
7th February 2011, 04:27 PM #9
isnt that why when installing win7 it leaves a blank partition so you dont need to do that?
7th February 2011, 04:28 PM #10
It's an even bigger headache for the school when a laptop gets stolen and has confidential data in an unencrypted part of the drive, think it's up to a £500k fine now.
Originally Posted by Killer_Bot
7th February 2011, 04:31 PM #11
That's correct. In addition to BitLocker, the 100MB partition is also used for other things (it's not completely blank).
Originally Posted by sted
7th February 2011, 04:33 PM #12
Luckily that's not my decision to make, I just do as I'm told by my boss BitLocker is by no means fully secure either, especially if it's set for the USB keys. Granted, it's much more secure than an unencrypted drive but requires far more staff training RE things like storage, social engineering, passwords, etc.
Originally Posted by teejay
Just to be clear I'm not against BitLocker, I just don't think it's something to take on lightly when EFS and training with it can do almost the same thing.
7th February 2011, 04:37 PM #13
Isn't that 100MB partition hidden anyway?
Originally Posted by Arthur
Tbh once we get our 2008 servers in the whole argument becomes moot anyway as it'll all be done via Terminal Services \ VDI so will only need an Internet connection and no files will be moving between locations. In the meantime it's really just a case of providing an additional computing resource with Office etc installed for staff that don't have dedicated PCs at home. As it stands I'd rather have them encrypted and take a few groans than the other option as mentioned above.
Just considering if it's worth locking the USB ports as well, although that might push people over the edge :P
Quick qu just thinking about it, if set to encrypt the boot drive am I right in thinking it won't auto encrypt USB sticks by default? Not sure I want it doing that until we've decided on a strategy there...
Last edited by gshaw; 7th February 2011 at 04:43 PM.
7th February 2011, 04:41 PM #14
It's another layer of protection so why not. As you say it's only temporary. Otherwise could a user not "accidentally" copy some contents onto there unencrypted stick? Not sure if it works like EFS where it unencrypts before copying? You could maybe set up BitLocker ToGo though and insist sticks be protected with that?
7th February 2011, 04:43 PM #15
They'll all be broken in a few weeks from having the usb encryption key rammed in the wrong way round anyway
Originally Posted by gshaw
By Ric_ in forum O/S Deployment
Last Post: 23rd June 2010, 08:52 PM
By p858snake in forum IT News
Last Post: 5th December 2009, 10:52 AM
By laserblazer in forum Hardware
Last Post: 30th November 2007, 07:49 PM
By tosca925 in forum General Chat
Last Post: 24th July 2007, 09:10 PM
By Nij.UK in forum Windows Vista
Last Post: 6th June 2007, 09:11 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)