Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3298
  • Last Modified:

Encrypting Windows 7 Pro hard drive

Need to encrypt Windows 7 Pro hard drives on a handful of computers.  Computers have only 1 hard drive and have no TPM chip.  Computers are members of a domain.

Please give me some suggestions and pros/cons for easy to use (free or paid) encryption software.


Thank you
0
itechresults
Asked:
itechresults
  • 4
  • 2
  • 2
  • +3
4 Solutions
 
David Johnson, CD, MVPOwnerCommented:
Bitlocker and truecrypt come instantly to mind
0
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
Unfortunately, BitLocker is not available without Enterprise or Ultimate in Windows and without a TPM, in my opinion, it's a PITA to use.

TrueCrypt would probably be the best solution - it'll require a PIN to book up (or I think it does), but that's a relatively easy thing to deal with.

BEST solution is to replace the laptops with BUSINESS CLASS machines, add Software Assurance, and run Enterprise, enabling BitLocker.  At least in my opinion.
0
 
Seth SimmonsSr. Systems AdministratorCommented:
yes, i've used truecrypt before and it does prompt for a password before booting
likely your best option (aside from purchasing new systems)
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
McKnifeCommented:
I would prefer the truecrypt spin-off disk cryptor. Have used both on many systems and DC runs with better performance (measured on two file servers, at least).
The use is very easy with both, only make sure you are aware that

A you need to adjust your backup methods
B you need to exercise a full restore (disaster recovery)
C you would need a policy on how often passwords would need to be changed
D encryption does not cover all sorts of attacks
E there are still ways to get in ("evil maid attack", firewire hack, cold boot attacks).
F maintenance will become harder (no automatic reboots without pw, no OS upgrades without decryption)
0
 
Rich RumbleSecurity SamuraiCommented:
BL works fine w/out TPM, but I am partial to TC myself.
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
Also understand what HDD encryption is only protecting your data if the computer is powered off.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
McKnifeCommented:
No finishing comment? What a pity. What will you deploy?
0
 
itechresultsAuthor Commented:
I will replace Win 7 Pro PCs with Windows 8 Pro PCsand utilize BitLocker with TPM.

Thanks
0
 
McKnifeCommented:
With win8, Bitlocker has become better, that's right. But new laptops just for this? :) Well, maybe you needed them anyway. Please be aware that TPM should not be seen as an easy solution compared to preboot authentication with passwords.
It's absolutely necessary to use the TPM together with a PIN. TPM alone is not safe.
0
 
itechresultsAuthor Commented:
Well, I just got the OK to replace the hardware.   Currently running low end HP SFF desktop PCs.  Will be holding off encryption until new hardware is in place.

Thanks for the advice using TPM with PIN.  Yes, I was looking at Bitlocker w/ TPM as an easy solution.  Makes sense to use TPM with PIN.  It's just a big pain in the a@s having to unlock PC at every boot.  Makes maintenance difficult too.

Thanks
0
 
McKnifeCommented:
> Makes maintenance difficult too
Depends. You should have an administrative key on a USB token* if you walk to the machine, service it and restart it - no password entry neede, then. If you connect via remote desktop, for restarts, you have the ability to suspend Bitlocker (rightclick c: - manage Bitlocker - suspend protection)

*Yes, multiple keys are possible.
0
 
Rich RumbleSecurity SamuraiCommented:
Security is always a compromise, be it ease of use, or cost. It costs more to be secure, and it's never easy, you are only as secure as the weakest link. Having an encrypted HDD is a good first step, using TPM, PIN or USB I consider that secondary, adds no REAL security. To bypass any method of HDD encryption with respect to TC/BL/PGP you need physical access, because the attack scenario (HDD Encryption)is one of physical access.
TPM ties the encryption to the hardware, that is the only real advantage, it can be a good advantage, If the HDD is removed, but if it's not, the attack surface is no different than a program not using TPM.
The weakest link is the running OS, when the OS is running, the data on the HDD is no more secure than before HDD encryption took place. Any reputable encryption of the HDD is better than none, TPM and other tertiary steps are overkill (depending on your data's sensitivity). Physical access brings evil maid, cold-boot and physical key logging to an equal playing field, each is as possible as other. The decryption key in memory while the OS is running is all one needs is to sit back and wait for the user to get the attacker to that point, nullifies Pin, Usb, Thumbprint, blood samples, voice recognition and dna scanning.
-rich
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now