Our security team had similar concerns and accepted running the cipher command before encrypting to wipe the all data.
Cipher.exe /w:c:\ Daniel Ratliff From: [email protected] [mailto:[email protected]] On Behalf Of Miller, Todd Sent: Tuesday, May 26, 2015 10:24 AM To: [email protected] Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? When pre-provisioning and encrypting used space only, remember there may be previously unencrypted data that is recoverable on the drive from a previous unencrypted OS installation - - as Michael mentioned "an empty drive" - that is an important point. If you are concerned about data leaking out, you need to either start with a securely cleaned disk (f-disk is not enough), a brand new disk, or a previously wholly encrypted disk - otherwise you should encrypt the whole disk. I was thinking that the used space was going to be great, forgetting that there would be a lot of chance for leakage if you are moving from an unencrypted disk to an encrypted disk environment. All the unencrypted stuff from the disk's previous installation will be left unencrypted in a used only scenario. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Michael Niehaus Sent: Monday, May 25, 2015 7:10 PM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? Remember too that Windows 7 encrypts every sector - encryption of used space only was introduced with Windows 8. Encrypting 500GB will certainly take a while on a spinning drive. Leveraging BitLocker Pre-Provisioning also enables used space only encryption - that makes it instantaneous to turn on for an empty drive. Thanks, -Michael From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Keith Garner (hotmail) Sent: Monday, May 25, 2015 4:52 PM To: [email protected]<mailto:[email protected]> Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ? 12 hours seems a bit excessive, however all of my machines have migrated over to SSD drives, so I may not be the best judge of spinning drives. The other alternative is to enable Bitlocker Pre-Provisioning from the Windows 8.0/8.1 ADK. Basically, it will encrypt the drive but leave the protectors "off", if you have ever "suspended" Bitlocker, it's similar. The Bitlocker is just "ON" and there is no need to go through the lengthy encryption phase. I've seen it work for Windows 7 SP1, and If you are using a product like MBAM, it should utilize the encrypted state of the drive and enable the protectors. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Bain.John Sent: Monday, May 25, 2015 11:46 AM To: [email protected]<mailto:[email protected]> Subject: [MDT-OSD] Bitlocker drive encryption process overly slow ? Just curious to hear what others have seen in terms of whole drive encryption. Does 12 hours to encrypt 500 GB seem excessive ? This is to encrypt the drive post Windows 7 install. John John Bain - CIC Engineering Office: JETS C657 | Tel: 613-437-6829 365 Laurier Avenue West Ottawa ON K1A 1L1 | 365, avenue Laurier Ouest Ottawa ON K1A 1L1 NHQ - Solutions and Information Management | AC - Direction générale des solutions et de la gestion de l'information Citizenship and Immigration Canada | Citoyenneté et Immigration Canada Government of Canada | Gouvernement du Canada ________________________________ Notice: This UI Health Care e-mail (including attachments) is covered by the Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential and may be legally privileged. If you are not the intended recipient, you are hereby notified that any retention, dissemination, distribution, or copying of this communication is strictly prohibited. Please reply to the sender that you have received the message in error, then delete it. Thank you. ________________________________ The information transmitted is intended only for the person or entity to which it is addressed and may contain CONFIDENTIAL material. If you receive this material/information in error, please contact the sender and delete or destroy the material/information.
