Bitlocker, Drive encryption??

[knc]

I have a client asking for drive encryption.. I have never used it before what would a best route to go be?

What are some of the pitfalls I should be aware of?

 

[geekhelp4u]

BitLocker is great - assuming that they have a supported version of Windows 7.

A few things to consider:

1. When activating - you will need to save the key file to an external device.
2. I recommend you save these key files and the .txt with the recovery key to a secure easily accessable location
3. You should create a DaRT disk that you can use to disgnose these PCs
4. When imaging a machine - it will save you time if you encrypt the drive before migrating data.

 

[knc]

What other products are available.. and just how does it work? I assume you will need an encryption key when and how does that get applied?

 

[ZenTree]

Truecrypt has been around for a long time. You can have an encrypted container, volume or entire live system. I have only used it on the first two personally. Free and open source.

http://www.truecrypt.org/

 

[altrenda]

+1 for Truecrypt.
Not much you need that it doesn't do.

 

[Brand]

BitLocker is great - assuming that they have a supported version of Windows 7.

A few things to consider:

1. When activating - you will need to save the key file to an external device.
2. I recommend you save these key files and the .txt with the recovery key to a secure easily accessable location
3. You should create a DaRT disk that you can use to disgnose these PCs
4. When imaging a machine - it will save you time if you encrypt the drive before migrating data.

Or in Active Directory so that the key can be retrieved by administrators. You can also store the BitLocker keys for external drives in AD so that they can be retrieved if lost.

 

[carrcomp]

What other products are available.. and just how does it work? I assume you will need an encryption key when and how does that get applied?

Safeboot by Mcaffee is pretty good in an enterprise environment (not sure how big your client is)

Easy to troubleshoot

 

[YeOldeStonecat]

What is your need.....to just encrypt a folder? Or to encrypt most or all of a drive?

Doing "all" of a HDD...the entire drive, is called "FDE"....Full Disk Encryption.

I've done both quite a bit.....used TrueCrypt to secure a folder....or external USB drive.
And I've used TrueCrypt to do FDE. As well as I've used (and prefer) hardware to do the FDE.

Software encryption (like TrueCrypt) will suck some performance out of a computer when doing FDE. So Windows takes a bit longer to load, programs, opening files, etc. Since the CPU gets hit with the job of decrypting files as you do things. Performance hits vary..it's not as big these days with the true multi-core processors....a few years ago you did really feel it with single core or software core (hyper-thread) processors. As much as a 30-40% hit in performance. Hardware FDE...the hard drives come with a daughter card attached to them which has a processor that does all the work. You'll see these as options on higher end business models of desktops and laptops.

 

[knc]

We have 4 workstations and want (their request) to do a FDE of the Server as they are a financial institution, and the data they have stored is an identity thief's playground.

WHat about Sophos? they make an encryption package.

I am concerned about the performance hit they will take also. Older xp pro machines and a 2008 SBS server.

 

[knc]

I spoke with Mcafee today, and they claimed that encrypting a Server drive is unusual? My client is concerned with their physical equipment being stolen so this should be normal consideration.

Mcafee claims mobile devices AND desktops are the target market for encryption.. hmmm Data is on the Server..