Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Encrypting Windows 7 Pro hard drive

Posted on 2014-01-21
11
Medium Priority
?
2,751 Views
Last Modified: 2014-01-27
Need to encrypt Windows 7 Pro hard drives on a handful of computers.  Computers have only 1 hard drive and have no TPM chip.  Computers are members of a domain.

Please give me some suggestions and pros/cons for easy to use (free or paid) encryption software.


Thank you
0
Comment
Question by:itechresults
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39798799
Bitlocker and truecrypt come instantly to mind
0
 
LVL 96

Accepted Solution

by:
Lee W, MVP earned 600 total points
ID: 39798995
Unfortunately, BitLocker is not available without Enterprise or Ultimate in Windows and without a TPM, in my opinion, it's a PITA to use.

TrueCrypt would probably be the best solution - it'll require a PIN to book up (or I think it does), but that's a relatively easy thing to deal with.

BEST solution is to replace the laptops with BUSINESS CLASS machines, add Software Assurance, and run Enterprise, enabling BitLocker.  At least in my opinion.
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 201 total points
ID: 39799015
yes, i've used truecrypt before and it does prompt for a password before booting
likely your best option (aside from purchasing new systems)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 56

Assisted Solution

by:McKnife
McKnife earned 201 total points
ID: 39799154
I would prefer the truecrypt spin-off disk cryptor. Have used both on many systems and DC runs with better performance (measured on two file servers, at least).
The use is very easy with both, only make sure you are aware that

A you need to adjust your backup methods
B you need to exercise a full restore (disaster recovery)
C you would need a policy on how often passwords would need to be changed
D encryption does not cover all sorts of attacks
E there are still ways to get in ("evil maid attack", firewire hack, cold boot attacks).
F maintenance will become harder (no automatic reboots without pw, no OS upgrades without decryption)
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 198 total points
ID: 39806488
BL works fine w/out TPM, but I am partial to TC myself.
http://windows.microsoft.com/en-us/windows-vista/bitlocker-drive-encryption-overview
BitLocker can also be used without a TPM. To use BitLocker on a computer without a TPM, you must change the default behavior of the BitLocker setup wizard by using Group Policy, or configure BitLocker by using a script. When BitLocker is used without a TPM, the required encryption keys are stored on a USB flash drive that must be presented to unlock the data stored on a volume.
Also understand what HDD encryption is only protecting your data if the computer is powered off.
http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39812936
No finishing comment? What a pity. What will you deploy?
0
 

Author Comment

by:itechresults
ID: 39812945
I will replace Win 7 Pro PCs with Windows 8 Pro PCsand utilize BitLocker with TPM.

Thanks
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39812979
With win8, Bitlocker has become better, that's right. But new laptops just for this? :) Well, maybe you needed them anyway. Please be aware that TPM should not be seen as an easy solution compared to preboot authentication with passwords.
It's absolutely necessary to use the TPM together with a PIN. TPM alone is not safe.
0
 

Author Comment

by:itechresults
ID: 39813017
Well, I just got the OK to replace the hardware.   Currently running low end HP SFF desktop PCs.  Will be holding off encryption until new hardware is in place.

Thanks for the advice using TPM with PIN.  Yes, I was looking at Bitlocker w/ TPM as an easy solution.  Makes sense to use TPM with PIN.  It's just a big pain in the a@s having to unlock PC at every boot.  Makes maintenance difficult too.

Thanks
0
 
LVL 56

Expert Comment

by:McKnife
ID: 39813111
> Makes maintenance difficult too
Depends. You should have an administrative key on a USB token* if you walk to the machine, service it and restart it - no password entry neede, then. If you connect via remote desktop, for restarts, you have the ability to suspend Bitlocker (rightclick c: - manage Bitlocker - suspend protection)

*Yes, multiple keys are possible.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39813206
Security is always a compromise, be it ease of use, or cost. It costs more to be secure, and it's never easy, you are only as secure as the weakest link. Having an encrypted HDD is a good first step, using TPM, PIN or USB I consider that secondary, adds no REAL security. To bypass any method of HDD encryption with respect to TC/BL/PGP you need physical access, because the attack scenario (HDD Encryption)is one of physical access.
TPM ties the encryption to the hardware, that is the only real advantage, it can be a good advantage, If the HDD is removed, but if it's not, the attack surface is no different than a program not using TPM.
The weakest link is the running OS, when the OS is running, the data on the HDD is no more secure than before HDD encryption took place. Any reputable encryption of the HDD is better than none, TPM and other tertiary steps are overkill (depending on your data's sensitivity). Physical access brings evil maid, cold-boot and physical key logging to an equal playing field, each is as possible as other. The decryption key in memory while the OS is running is all one needs is to sit back and wait for the user to get the attacker to that point, nullifies Pin, Usb, Thumbprint, blood samples, voice recognition and dna scanning.
-rich
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question