Educause Security Discussion mailing list archives

Re: Whole Disk Encryption

From: Rich Graves <rgraves () CARLETON EDU>
Date: Tue, 17 Jan 2012 15:44:16 -0600

A ssuming that all laptops are in a domain and that you push settings with GPO, BitLocker key recovery is decent. If 
you combine the built-in AD tools with SCCM, it's nearly as good as PGP. You will have ample opportunity to gain 
experience with it, because even with the most liberal PCR settings, users will violate the boot integrity check 
frequently, and at the most inconvenient times. We have about 100 PCs running BitLocker, but I would not recommend it. 

There is no supported enterprise escrow for FileVault 2. If all laptops are imaged and encrypted by central IT techs, 
then it ought to be possible to come up with manual procedures, just like some people did with TrueCrypt. If encryption 
is decentralized, forget about it. 
-- 

Rich Graves http://claimid.com/rcgraves 
Carleton.edu Sr UNIX and Security Admin 
CMC135: 507-222-7079 Cell: 952-292-6529

Current thread:

Re: Whole Disk Encryption, (continued)
- - - Re: Whole Disk Encryption SCHALIP, MICHAEL (Jan 06)
    - Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
    - Re: Whole Disk Encryption Howell, Paul (Jan 13)
    - Re: Whole Disk Encryption Tonkin, Derek K. (Jan 13)
    - Re: Whole Disk Encryption David Grisham (Jan 13)
    - Re: Whole Disk Encryption Bradley Jonko (Jan 17)
    - Re: Whole Disk Encryption Isabelle Graham (Jan 17)
    - Re: Whole Disk Encryption Dexter Caldwell (Jan 17)
    - Re: Whole Disk Encryption Michael Sana (Jan 17)
    - Re: Whole Disk Encryption Brad Judy (Jan 17)
    - Re: Whole Disk Encryption Rich Graves (Jan 17)
    - Re: Whole Disk Encryption Alexander Kurt Keller (Jan 06)
- Re: Whole Disk Encryption Maloney, Michael (Jan 19)