mrnine exx
asked on
Enterprise level passwordfree encryption solution
Hi
I need an encryption solution for my company and we need some password free encryption for our users. I found a great article about the perfect solution for our problem in this https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html article. I was wondering do we need MBAM tool to manage the encryption process if we follow the process described in the article or we need a third party software for that? Can we restrict users to get access to public key as well. Thanks in advance for your help.
I need an encryption solution for my company and we need some password free encryption for our users. I found a great article about the perfect solution for our problem in this https://www.experts-exchange.com/articles/25879/A-new-aspect-to-securing-USB-data-SID-protectors.html article. I was wondering do we need MBAM tool to manage the encryption process if we follow the process described in the article or we need a third party software for that? Can we restrict users to get access to public key as well. Thanks in advance for your help.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
How do we restrict them to access the public key when they are accessing the device on domain computers? I noticed when the device is unlocked to domain computers users can simply right click on the device and print or copy the public key from there. Also do we need MBAM to implement it to enterprise level smoothly? or how else we could manage everything centrally? and Is there any way to assign SID protector for some device which is not part of domain for some reason and give access to encrypted drive to those devices? Thanks a lot for your help..
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Can you please point me on how can I use external key files instead of recovery keys. I followed all steps from your article and in which step should I make the change to add external key files. Thanks
ASKER
Also I would be grateful if you could point me to any documentation for SID protectors for bitlocker as I couldn't find anything useful on my search. Thanks a lot for your help
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I get this:
Volume F: [WOW]
[Data Volume]
Key Protectors Added:
ERROR: There was an error while trying to save the key to disk.
when I run 'manage-bde -on f: -used -sk \\server\SecuredShare\ -sid "DOMAIN\domain users" '
Volume F: [WOW]
[Data Volume]
Key Protectors Added:
ERROR: There was an error while trying to save the key to disk.
when I run 'manage-bde -on f: -used -sk \\server\SecuredShare\ -sid "DOMAIN\domain users" '
What should I say... make sure you know what you are writing to.
->Did you create a share?
->Did you create a share?
ASKER
Sorry for asking the dumb question. It worked.. I was wondering since there is no public key is being used, how exactly admin can recover the drives?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot.. Thats very helpful
Fine.
So is this answered, then?
So is this answered, then?
ASKER
Yes.. One last question... Is it possible to add multiple domain while encrypting a drive?
You mean, add SID-protectors for users of multiple domains? That should be possible, but I haven't tried, yet.
However, the SID-protector will need to be written to the device while connected to the respective domain, so you would connect the stick to a member pc of domain-A to write a SID-protector domain-A\someuser and connect it to another pc that is member of domain-B to write the SID-protector domain-B\someotheruser.
However, the SID-protector will need to be written to the device while connected to the respective domain, so you would connect the stick to a member pc of domain-A to write a SID-protector domain-A\someuser and connect it to another pc that is member of domain-B to write the SID-protector domain-B\someotheruser.
ASKER
Yes thats what I want. So I have to write SID on both A and B domain? Is there any way to replicate the SID of domain A to B so I dont have to plug the device in both domain pc to add SID.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks a lot for your help...
ASKER