Solved

Encrypting Windows 7 Pro hard drive

Posted on 2014-01-21
11
2,446 Views
Last Modified: 2014-01-27
Need to encrypt Windows 7 Pro hard drives on a handful of computers.  Computers have only 1 hard drive and have no TPM chip.  Computers are members of a domain.

Please give me some suggestions and pros/cons for easy to use (free or paid) encryption software.


Thank you
0
Comment
Question by:itechresults
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39798799
Bitlocker and truecrypt come instantly to mind
0
 
LVL 95

Accepted Solution

by:
Lee W, MVP earned 200 total points
ID: 39798995
Unfortunately, BitLocker is not available without Enterprise or Ultimate in Windows and without a TPM, in my opinion, it's a PITA to use.

TrueCrypt would probably be the best solution - it'll require a PIN to book up (or I think it does), but that's a relatively easy thing to deal with.

BEST solution is to replace the laptops with BUSINESS CLASS machines, add Software Assurance, and run Enterprise, enabling BitLocker.  At least in my opinion.
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 67 total points
ID: 39799015
yes, i've used truecrypt before and it does prompt for a password before booting
likely your best option (aside from purchasing new systems)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 67 total points
ID: 39799154
I would prefer the truecrypt spin-off disk cryptor. Have used both on many systems and DC runs with better performance (measured on two file servers, at least).
The use is very easy with both, only make sure you are aware that

A you need to adjust your backup methods
B you need to exercise a full restore (disaster recovery)
C you would need a policy on how often passwords would need to be changed
D encryption does not cover all sorts of attacks
E there are still ways to get in ("evil maid attack", firewire hack, cold boot attacks).
F maintenance will become harder (no automatic reboots without pw, no OS upgrades without decryption)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 66 total points
ID: 39806488
BL works fine w/out TPM, but I am partial to TC myself.
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
Also understand what HDD encryption is only protecting your data if the computer is powered off.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39812936
No finishing comment? What a pity. What will you deploy?
0
 

Author Comment

by:itechresults
ID: 39812945
I will replace Win 7 Pro PCs with Windows 8 Pro PCsand utilize BitLocker with TPM.

Thanks
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39812979
With win8, Bitlocker has become better, that's right. But new laptops just for this? :) Well, maybe you needed them anyway. Please be aware that TPM should not be seen as an easy solution compared to preboot authentication with passwords.
It's absolutely necessary to use the TPM together with a PIN. TPM alone is not safe.
0
 

Author Comment

by:itechresults
ID: 39813017
Well, I just got the OK to replace the hardware.   Currently running low end HP SFF desktop PCs.  Will be holding off encryption until new hardware is in place.

Thanks for the advice using TPM with PIN.  Yes, I was looking at Bitlocker w/ TPM as an easy solution.  Makes sense to use TPM with PIN.  It's just a big pain in the a@s having to unlock PC at every boot.  Makes maintenance difficult too.

Thanks
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39813111
> Makes maintenance difficult too
Depends. You should have an administrative key on a USB token* if you walk to the machine, service it and restart it - no password entry neede, then. If you connect via remote desktop, for restarts, you have the ability to suspend Bitlocker (rightclick c: - manage Bitlocker - suspend protection)

*Yes, multiple keys are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39813206
Security is always a compromise, be it ease of use, or cost. It costs more to be secure, and it's never easy, you are only as secure as the weakest link. Having an encrypted HDD is a good first step, using TPM, PIN or USB I consider that secondary, adds no REAL security. To bypass any method of HDD encryption with respect to TC/BL/PGP you need physical access, because the attack scenario (HDD Encryption)is one of physical access.
TPM ties the encryption to the hardware, that is the only real advantage, it can be a good advantage, If the HDD is removed, but if it's not, the attack surface is no different than a program not using TPM.
The weakest link is the running OS, when the OS is running, the data on the HDD is no more secure than before HDD encryption took place. Any reputable encryption of the HDD is better than none, TPM and other tertiary steps are overkill (depending on your data's sensitivity). Physical access brings evil maid, cold-boot and physical key logging to an equal playing field, each is as possible as other. The decryption key in memory while the OS is running is all one needs is to sit back and wait for the user to get the attacker to that point, nullifies Pin, Usb, Thumbprint, blood samples, voice recognition and dna scanning.
-rich
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question