Encrypting Laptop Data

[AnnDroyd]

There seems to be a bit of publicity about issues surrounding the encryption of laptop data present.

Is this something that we should be applying to teacher's laptops if they are taken out of school?

If so, is there a way of encrypting data using native Windows tools or does it require third party software?

I don't know much about it but presumably the principle is to store the data in such a way that if the laptop is stolen, the contents of the hard drive cannot be retrieved and read?

[plexer]

How about:

http://edugeek.net/forums/showthread.php?t=14759
&
http://edugeek.net/forums/showthread.php?t=14667

May be some info in there for you.

Ben

[SYNACK]

So long as you are running XP Pro on the stations you could use NTFS EFS (Encrypted File System) to secure the files as it is integrated into Windows. There is almost defiantly an automated way to do it to.

[sahmeepee]

So long as you are running XP Pro on the stations you could use NTFS EFS (Encrypted File System) to secure the files as it is integrated into Windows. There is almost defiantly an automated way to do it to.

The automated way of doing it via group policy doesn't actually work. It gives the impression of having applied the policy, but all it actually does is disables the GUI controls when logged on locally.

You can check this by comparing a machine which has had the policy applied via GPO with one you've done manually through the GUI. The latter will show your filenames in green in Explorer, the other won't. I went to great lengths to check that the files were definitely not encrypted.

Thank you Microsoft. I wasted about a day on that little gem!

EDIT: Vista laptops have bitlocker of course, which probably works as advertised.

[Geoff]

Vista laptops have bitlocker of course, which probably works as advertised

And he's a guide, for anyone searching for one on the forums in the future.

http://www.windowsecurity.com/articl...ker-Part1.html

[Niraj]

The only problem with bitlocker at the moment is that it will only encrypt the system partition. If you have a setup with a C: and D: where users hold there info on the D then only C will be encrypted. This is hopefully going to be fixed in SP1 for Vista

The other thing with bitlocker is that you have to extend the AD schema so that it can handle the users keys so that if ever the use was to forget there password there is a way to recover from this.

[Geoff]

You have to extend the AD schema anyway for the Wireless/Wired networking enhancements.

[Martin]

The only problem with bitlocker at the moment is that it will only encrypt the system partition. If you have a setup with a C: and D: where users hold there info on the D then only C will be encrypted.

That seems to be the official Microsoft line, but we have successfully encrypted just the D: drive (used for data) and left the C: drive (for the O/S) un-encrypted.

I think that Microsoft use D: to refer to the bootable (and hence unencrypted) partition, which then "unlocks" the system partition to run Windows in their vanilla configuration - hence the confusion.

Obviously, if you don't encrypt the system partition, you should redirect your pagefile, temp etc. to the encrypted drive, so that data doesn't leak unexpectedly!

Oh, and if you work for HMRC, don't forget to stick a post-it on the back of your keyboard with the password on it

mb