Jump to content

Encryption for Windows 10 Clients

Mike87
 Share
Posted

Hi all,

 

we are searching for an encryption solution for our company Notebook clients. What we want is that all clients have their local drives completely encrypted (normally just C: and D:), so that the data is protected when the Notebook gets stolen, etc. I don't have any deep knowledge about encryption but what we are pending on using is Veracrypt or Bitlocker. We are also using the Bitdefender GravityZone, so if anyone has experience with the Bitdefender Bitlocker encryption module, I would be happy to hear about it. 

So back to my question, can someone point out the major pro's and con's about Veracrypt and Bitlocker encryption in an company environment? The only thing that I read about was the hash recovery of the encryption password. If the user forgets the password, the files are gone! With Bitlocker the recovery seems to be possible in an domain environment, with veracrypt I don't know... 

 

A short overview to our Network environment:

Clients: Window 10 Pro (at least 1703 Build)

Domain: Windows 2012 level

AV: Bitdefender GravityZone with BEST Clients

 

Many thanks in advance.

 

 

Regards

Mike

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites
Posted

Hi Mike. We've just deployed a few Sophos products, one of which is encryption by the way of Sophos Safeguard. Take a look at it, it's a nice piece of kit.

Probably gaming or helping technophobes with tech...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
3 minutes ago, userzero said:

Hi Mike. We've just deployed a few Sophos products, one of which is encryption by the way of Sophos Safeguard. Take a look at it, it's a nice piece of kit.

Hi and thank you for the reply. I am sure that other AV provide encryption solutions, but I would like to stick with either our Bitdefender solution with Bitlocker or Veracrypt since it is freeware :)

 

 

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
Just now, Mike87 said:

Hi and thank you for the reply. I am sure that other AV provide encryption solutions, but I would like to stick with either our Bitdefender solution with Bitlocker or Veracrypt since it is freeware :)

 

 

We just happened to get it at the same time. All products are standalone so it makes no difference.

 

Probably gaming or helping technophobes with tech...

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
15 minutes ago, Mike87 said:

Hi and thank you for the reply. I am sure that other AV provide encryption solutions, but I would like to stick with either our Bitdefender solution with Bitlocker or Veracrypt since it is freeware :)

 

 

I use Bitlocker for my laptops at home and I also worked with it while I was doing contracting work. Bitlocker is fairly easy to use. 

CPU: AMD Ryzen 5 5600X | CPU Cooler: Stock AMD Cooler | Motherboard: Asus ROG STRIX B550-F GAMING (WI-FI) | RAM: Corsair Vengeance LPX 16 GB (2 x 8 GB) DDR4-3000 CL16 | GPU: Nvidia GTX 1060 6GB Zotac Mini | Case: K280 Case | PSU: Cooler Master B600 Power supply | SSD: 1TB  | HDDs: 1x 250GB & 1x 1TB WD Blue | Monitors: 24" Acer S240HLBID + 24" Samsung  | OS: Win 10 Pro

 

Audio: Behringer Q802USB Xenyx 8 Input Mixer |  U-PHORIA UMC204HD | Behringer XM8500 Dynamic Cardioid Vocal Microphone | Sound Blaster Audigy Fx PCI-E card.

 

Home Lab:  Lenovo ThinkCenter M82 ESXi 6.7 | Lenovo M93 Tiny Exchange 2019 | TP-LINK TL-SG1024D 24-Port Gigabit | Cisco ASA 5506 firewall  | Cisco Catalyst 3750 Gigabit Switch | Cisco 2960C-LL | HP MicroServer G8 NAS | Custom built SCCM Server.

 

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
19 minutes ago, Mike87 said:

Hi and thank you for the reply. I am sure that other AV provide encryption solutions, but I would like to stick with either our Bitdefender solution with Bitlocker or Veracrypt since it is freeware :)

 

 

Bitlocker should work so long as you don't mess around with using more than one OS on a drive.

 

Basically unless you're dual booting Windows and Linux, Bitlocker will work fine.

Judge a product on its own merits AND the company that made it.

How to setup MSI Afterburner OSD | How to make your AMD Radeon GPU more efficient with Radeon Chill | (Probably) Why LMG Merch shipping to the EU is expensive

Oneplus 6 (Early 2023 to present) | HP Envy 15" x360 R7 5700U (Mid 2021 to present) | Steam Deck (Late 2022 to present)

 

Mid 2023 AlTech Desktop Refresh - AMD R7 5800X (Mid 2023), XFX Radeon RX 6700XT MBA (Mid 2021), MSI X370 Gaming Pro Carbon (Early 2018), 32GB DDR4-3200 (16GB x2) (Mid 2022

Noctua NH-D15 (Early 2021), Corsair MP510 1.92TB NVMe SSD (Mid 2020), beQuiet Pure Wings 2 140mm x2 & 120mm x1 (Mid 2023),

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
7 minutes ago, AluminiumTech said:

Bitlocker should work so long as you don't mess around with using more than one OS on a drive.

 

Basically unless you're dual booting Windows and Linux, Bitlocker will work fine.

No we are only working with Win10 and one OS. How bout recovery? How will this work?

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
4 hours ago, Mike87 said:

No we are only working with Win10 and one OS. How bout recovery? How will this work?

Assuming a Microsoft account is used on the main system account, the recovery key will be stored there.

It can be manually backed up as well.

 

When you'll try to do a system recovery, or re-install of the system, the setup process will prompt you for the recovery key.

You'll have this screen:

img_578eca4fe099c.png

 

The drive will then be unlocked, and the process can resume.

 

If you have a laptop or desktop with a TPM chip, you can give it a go a try, and experiment and see how it works.

 

If not, then you have TrueCrypt (free and open source), which the NSA apparently failed to crack, that you can look into.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
8 minutes ago, GoodBytes said:

Assuming a Microsoft account is used on the main system account, the recovery key will be stored there.

It can be manually backed up as well.

 

When you'll try to do a system recovery, or re-install of the system, the setup process will prompt you for the recovery key.

You'll have this screen:

img_578eca4fe099c.png

 

The drive will then be unlocked, and the process can resume.

 

If you have a laptop or desktop with a TPM chip, you can give it a go a try, and experiment and see how it works.

 

If not, then you have TrueCrypt (free and open source), which the NSA apparently failed to crack, that you can look into.

 

Thanks for the clearup :)

maybe a stupid question, but if the user forgot his password and the recovery key is on the encrypted disc... the data is gone, no going back? But I can still format the disc and reuse it, or is the disc not usable anymore?

 

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
8 minutes ago, Mike87 said:

Thanks for the clearup :)

maybe a stupid question, but if the user forgot his password and the recovery key is on the encrypted disc... the data is gone, no going back? But I can still format the disc and reuse it, or is the disc not usable anymore?

 

If you don't have the recovery key, and the user forgets its password, and can't do "forget password" because he forgot the info there as well, then yes, the data is gone.

 

For drive format.. I have never done it.

But I believe it will depends. If it is a Surface product, the device is gone. Probably need to ship it to MS for servicing, and the data will be gone  probably get a properly refurb unit), this is mostly because you can't pull the drive out of the system to plug it to another system to be restored to 0 state. Trying to recover my Surface Pro 3 from a bad Windows install that crap everything (Insider build. MS fixed it later, of course... the risk of being an Insider), I could not even boot and re-install Windows, or use the system recovery image on MS website. I needed to unlock my drive. So I needed that recovery key.

 

That's the thing, if you want security, there is no backdoor. If they are, then there is no point.

 

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
12 minutes ago, GoodBytes said:

If you don't have the recovery key, and the user forgets its password, and can't do "forget password" because he forgot the info there as well, then yes, the data is gone.

 

For drive format.. I have never done it.

But I believe it will depends. If it is a Surface product, the device is gone. Probably need to ship it to MS for servicing, and the data will be gone  probably get a properly refurb unit), this is mostly because you can't pull the drive out of the system to plug it to another system to be restored to 0 state. Trying to recover my Surface Pro 3 from a bad Windows install that crap everything (Insider build. MS fixed it later, of course... the risk of being an Insider), I could not even boot and re-install Windows, or use the system recovery image on MS website. I needed to unlock my drive. So I needed that recovery key.

 

That's the thing, if you want security, there is no backdoor. If they are, then there is no point.

 

oh boy, good to know about the surface... We use Dell, but we also have Tabletts from Dell. It would be a big issue if we have to swap devices everytime the user forgets their password...

 

How about reliability? For example if we have a system crash or bad sectors on disc, will it cause the whole encryption to be faulty? 

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
14 minutes ago, Mike87 said:

oh boy, good to know about the surface... We use Dell, but we also have Tabletts from Dell. It would be a big issue if we have to swap devices everytime the user forgets their password...

 

Well in your case, the device is on a domain... in which case, you need to see how BitLocker encryption works. It might be sync via Active Directory account instead, and you can just password reset the user account. You have to look into that. I thought it was for a personal system, not in a company network environment.

 

14 minutes ago, Mike87 said:

How about reliability? For example if we have a system crash or bad sectors on disc, will it cause the whole encryption to be faulty? 

I don't know, but I don't think so.

Link to comment
Share on other sites
Link to post
Share on other sites
Posted
  • Author
19 minutes ago, GoodBytes said:

 

Well in your case, the device is on a domain... in which case, you need to see how BitLocker encryption works. It might be sync via Active Directory account instead, and you can just password reset the user account. You have to look into that. I thought it was for a personal system, not in a company network environment.

 

I don't know, but I don't think so.

Ok. Thanks for the help so far :)

 

My Setup: 
CPU: i7 4790 @3800 MHz, MB: MSI H87-G41, Grafik: Gigabyte GTX 1080TI, RAM: 2x 8GB DDR3 (1600), Storage: Samsung SSD 850 Evo

Link to comment
Share on other sites
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Windows

×