Just wondering if anyone has used BitLocker on staff-issued laptops? We're going to encrypt all of ours and just ordered some cheap USB sticks to hold the encryption key as I somehow doubt they have TPM onboard
Would be interested to know how much of a hit it has on performance and if there's any compatibility issues anyone's encountered?
Works very well apart from staff losing the USB keys
Make sure you keep a copy of the backup key from the usb key and also check that the recovery key is being stored in active directory.
You need to have some firm policies in place, such as not keeping the usb key in the laptop bag. Also, when (not if) a memeber of staff loses their usb key you really need to be re-encrypting the hard drive with a new encryption key. If they just break their key then just copy the encryption key onto a new usb stick.
These laptops aren't part of the domain (issued for home use and never see the network) so we're going to keep records of the keys for each laptop on record (file stored on the network and paper documentation).
Yup we'll be making it part of the loan scheme that the USB key is never stored with the laptop, will try and get them to put the USB on their main keys when booking out to make sure
How are they going to back up any work on them and how are you going to ensure the backup is encrypted?
Tbh I don't think many have ever been backed up but you make a good point about the use of USB sticks etc. Would be easy enough to control on network managed machines but not so sure about these ones. I think the next stage is encrypted USB sticks but haven't got those yet...
Have the laptops already been partitioned accordingly, i.e. with the 1.5Gb system partition? If not then you're going to have to format as you may already know.
Also, my understanding of BitLocker is that it will hit the performance but if the laptops aren't used for anything that rely on fast performance I can't see it being an issue. Could be worth looking into EFS for folder encryption if there's only a select few files that really need encrypting. Unless you're worried about the pagefile and whatnot.
Yup they need to be completely reformatted anyway, the plus point of doing it with BitLocker is that it doesn't rely on people storing files in the right place... anywhere on the HD will be encrypted... can't get much easier than that
That's true but on the other hand they don't have to rely on a USB to do any work at all, if they lose it on a weekend and can't see you for a day or two it's pretty much a brick in the meantime. It's one of those pros vs cons things isn't it. Ideally I'd love to BitLocker all our laptops here but I know without a doubt that USBs would be constantly lost or left with the laptop itself out of convenience. Either way it's a headache we could do without though I appreciate that sometimes you really do need this level of security.Originally Posted by gshaw
isnt that why when installing win7 it leaves a blank partition so you dont need to do that?
It's an even bigger headache for the school when a laptop gets stolen and has confidential data in an unencrypted part of the drive, think it's up to a £500k fine now.
That's correct. In addition to BitLocker, the 100MB partition is also used for other things (it's not completely blank).
Luckily that's not my decision to make, I just do as I'm told by my boss
Just to be clear I'm not against BitLocker, I just don't think it's something to take on lightly when EFS and training with it can do almost the same thing.
Isn't that 100MB partition hidden anyway?
Tbh once we get our 2008 servers in the whole argument becomes moot anyway as it'll all be done via Terminal Services \ VDI so will only need an Internet connection and no files will be moving between locations. In the meantime it's really just a case of providing an additional computing resource with Office etc installed for staff that don't have dedicated PCs at home. As it stands I'd rather have them encrypted and take a few groans than the other option as mentioned above.
Just considering if it's worth locking the USB ports as well, although that might push people over the edge :P
Quick qu just thinking about it, if set to encrypt the boot drive am I right in thinking it won't auto encrypt USB sticks by default? Not sure I want it doing that until we've decided on a strategy there...
Last edited by gshaw; 7th February 2011 at 03:43 PM.
It's another layer of protection so why not. As you say it's only temporary. Otherwise could a user not "accidentally" copy some contents onto there unencrypted stick? Not sure if it works like EFS where it unencrypts before copying? You could maybe set up BitLocker ToGo though and insist sticks be protected with that?
They'll all be broken in a few weeks from having the usb encryption key rammed in the wrong way round anyway
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
