Solved

Encrypting Windows 7 Pro hard drive

Posted on 2014-01-21
11
2,307 Views
Last Modified: 2014-01-27
Need to encrypt Windows 7 Pro hard drives on a handful of computers.  Computers have only 1 hard drive and have no TPM chip.  Computers are members of a domain.

Please give me some suggestions and pros/cons for easy to use (free or paid) encryption software.


Thank you
0
Comment
Question by:itechresults
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39798799
Bitlocker and truecrypt come instantly to mind
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 200 total points
ID: 39798995
Unfortunately, BitLocker is not available without Enterprise or Ultimate in Windows and without a TPM, in my opinion, it's a PITA to use.

TrueCrypt would probably be the best solution - it'll require a PIN to book up (or I think it does), but that's a relatively easy thing to deal with.

BEST solution is to replace the laptops with BUSINESS CLASS machines, add Software Assurance, and run Enterprise, enabling BitLocker.  At least in my opinion.
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 67 total points
ID: 39799015
yes, i've used truecrypt before and it does prompt for a password before booting
likely your best option (aside from purchasing new systems)
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 67 total points
ID: 39799154
I would prefer the truecrypt spin-off disk cryptor. Have used both on many systems and DC runs with better performance (measured on two file servers, at least).
The use is very easy with both, only make sure you are aware that

A you need to adjust your backup methods
B you need to exercise a full restore (disaster recovery)
C you would need a policy on how often passwords would need to be changed
D encryption does not cover all sorts of attacks
E there are still ways to get in ("evil maid attack", firewire hack, cold boot attacks).
F maintenance will become harder (no automatic reboots without pw, no OS upgrades without decryption)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
ID: 39806488
BL works fine w/out TPM, but I am partial to TC myself.
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
Also understand what HDD encryption is only protecting your data if the computer is powered off.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 53

Expert Comment

by:McKnife
ID: 39812936
No finishing comment? What a pity. What will you deploy?
0
 

Author Comment

by:itechresults
ID: 39812945
I will replace Win 7 Pro PCs with Windows 8 Pro PCsand utilize BitLocker with TPM.

Thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39812979
With win8, Bitlocker has become better, that's right. But new laptops just for this? :) Well, maybe you needed them anyway. Please be aware that TPM should not be seen as an easy solution compared to preboot authentication with passwords.
It's absolutely necessary to use the TPM together with a PIN. TPM alone is not safe.
0
 

Author Comment

by:itechresults
ID: 39813017
Well, I just got the OK to replace the hardware.   Currently running low end HP SFF desktop PCs.  Will be holding off encryption until new hardware is in place.

Thanks for the advice using TPM with PIN.  Yes, I was looking at Bitlocker w/ TPM as an easy solution.  Makes sense to use TPM with PIN.  It's just a big pain in the a@s having to unlock PC at every boot.  Makes maintenance difficult too.

Thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39813111
> Makes maintenance difficult too
Depends. You should have an administrative key on a USB token* if you walk to the machine, service it and restart it - no password entry neede, then. If you connect via remote desktop, for restarts, you have the ability to suspend Bitlocker (rightclick c: - manage Bitlocker - suspend protection)

*Yes, multiple keys are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39813206
Security is always a compromise, be it ease of use, or cost. It costs more to be secure, and it's never easy, you are only as secure as the weakest link. Having an encrypted HDD is a good first step, using TPM, PIN or USB I consider that secondary, adds no REAL security. To bypass any method of HDD encryption with respect to TC/BL/PGP you need physical access, because the attack scenario (HDD Encryption)is one of physical access.
TPM ties the encryption to the hardware, that is the only real advantage, it can be a good advantage, If the HDD is removed, but if it's not, the attack surface is no different than a program not using TPM.
The weakest link is the running OS, when the OS is running, the data on the HDD is no more secure than before HDD encryption took place. Any reputable encryption of the HDD is better than none, TPM and other tertiary steps are overkill (depending on your data's sensitivity). Physical access brings evil maid, cold-boot and physical key logging to an equal playing field, each is as possible as other. The decryption key in memory while the OS is running is all one needs is to sit back and wait for the user to get the attacker to that point, nullifies Pin, Usb, Thumbprint, blood samples, voice recognition and dna scanning.
-rich
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
OfficeMate Freezes on login or does not load after login credentials are input.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now