Solved

Encrypting Windows 7 Pro hard drive

Posted on 2014-01-21
11
2,264 Views
Last Modified: 2014-01-27
Need to encrypt Windows 7 Pro hard drives on a handful of computers.  Computers have only 1 hard drive and have no TPM chip.  Computers are members of a domain.

Please give me some suggestions and pros/cons for easy to use (free or paid) encryption software.


Thank you
0
Comment
Question by:itechresults
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39798799
Bitlocker and truecrypt come instantly to mind
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 200 total points
ID: 39798995
Unfortunately, BitLocker is not available without Enterprise or Ultimate in Windows and without a TPM, in my opinion, it's a PITA to use.

TrueCrypt would probably be the best solution - it'll require a PIN to book up (or I think it does), but that's a relatively easy thing to deal with.

BEST solution is to replace the laptops with BUSINESS CLASS machines, add Software Assurance, and run Enterprise, enabling BitLocker.  At least in my opinion.
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 67 total points
ID: 39799015
yes, i've used truecrypt before and it does prompt for a password before booting
likely your best option (aside from purchasing new systems)
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 67 total points
ID: 39799154
I would prefer the truecrypt spin-off disk cryptor. Have used both on many systems and DC runs with better performance (measured on two file servers, at least).
The use is very easy with both, only make sure you are aware that

A you need to adjust your backup methods
B you need to exercise a full restore (disaster recovery)
C you would need a policy on how often passwords would need to be changed
D encryption does not cover all sorts of attacks
E there are still ways to get in ("evil maid attack", firewire hack, cold boot attacks).
F maintenance will become harder (no automatic reboots without pw, no OS upgrades without decryption)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
ID: 39806488
BL works fine w/out TPM, but I am partial to TC myself.
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
Also understand what HDD encryption is only protecting your data if the computer is powered off.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 53

Expert Comment

by:McKnife
ID: 39812936
No finishing comment? What a pity. What will you deploy?
0
 

Author Comment

by:itechresults
ID: 39812945
I will replace Win 7 Pro PCs with Windows 8 Pro PCsand utilize BitLocker with TPM.

Thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39812979
With win8, Bitlocker has become better, that's right. But new laptops just for this? :) Well, maybe you needed them anyway. Please be aware that TPM should not be seen as an easy solution compared to preboot authentication with passwords.
It's absolutely necessary to use the TPM together with a PIN. TPM alone is not safe.
0
 

Author Comment

by:itechresults
ID: 39813017
Well, I just got the OK to replace the hardware.   Currently running low end HP SFF desktop PCs.  Will be holding off encryption until new hardware is in place.

Thanks for the advice using TPM with PIN.  Yes, I was looking at Bitlocker w/ TPM as an easy solution.  Makes sense to use TPM with PIN.  It's just a big pain in the a@s having to unlock PC at every boot.  Makes maintenance difficult too.

Thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39813111
> Makes maintenance difficult too
Depends. You should have an administrative key on a USB token* if you walk to the machine, service it and restart it - no password entry neede, then. If you connect via remote desktop, for restarts, you have the ability to suspend Bitlocker (rightclick c: - manage Bitlocker - suspend protection)

*Yes, multiple keys are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39813206
Security is always a compromise, be it ease of use, or cost. It costs more to be secure, and it's never easy, you are only as secure as the weakest link. Having an encrypted HDD is a good first step, using TPM, PIN or USB I consider that secondary, adds no REAL security. To bypass any method of HDD encryption with respect to TC/BL/PGP you need physical access, because the attack scenario (HDD Encryption)is one of physical access.
TPM ties the encryption to the hardware, that is the only real advantage, it can be a good advantage, If the HDD is removed, but if it's not, the attack surface is no different than a program not using TPM.
The weakest link is the running OS, when the OS is running, the data on the HDD is no more secure than before HDD encryption took place. Any reputable encryption of the HDD is better than none, TPM and other tertiary steps are overkill (depending on your data's sensitivity). Physical access brings evil maid, cold-boot and physical key logging to an equal playing field, each is as possible as other. The decryption key in memory while the OS is running is all one needs is to sit back and wait for the user to get the attacker to that point, nullifies Pin, Usb, Thumbprint, blood samples, voice recognition and dna scanning.
-rich
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Explore the encryption capabilities built into Google Apps and how these features can help you meet privacy policy and regulatory compliance, but are not a full solution. Understand and compare the most popular email encryption services for Google A…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now