RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

[Keith Garner (Hotmail)]

I don’t think Cipher.exe works on unused space, only allocated files. This
means that if you have a file that was previously deleted or quick formatted
, you could get data leakage using Bit-Locker Pre-Provisioning. So no, I
would not recommend  Cipher.exe for this scenario.

 

As for speed, this blog
<http://blogs.technet.com/b/bitlocker/archive/2006/07/08/unallocated.aspx>
post on Bitlocker suggests that during a non-“used space only” encryption
pass, Bitlocker won’t actually read unallocated sectors, only overwriting
these sectors. So it should be only slightly faster than Cipher.exe, which
will be slower because of the file seeks.

 

Additionally, I noticed the command: Manage-bde
<https://technet.microsoft.com/en-us/library/jj647761.aspx> –WipeFreeSpace
Which suggests it can be used to clean these potential problem areas. Kick
off the command near the end of your deployment, and let it run in the
background :).

 

So rule of thumb:

*         If you have sensitive data, use Bitlocker to encrypt it.
Pre-Provisioning is fast and easy! 

*         If you haven’t been using Bitlocker to protect sensitive data :(,
then run through a full *slow* bitlocker pass. 
Or use the –WipeFreeSpace command. :)

 

-k

 

From: listsadmin@lists.myitforum.com [mailto:listsadmin@lists.myitforum.com]
On Behalf Of Miller, Todd
Sent: Tuesday, May 26, 2015 1:01 PM
To: mdt...@lists.myitforum.com
Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

Is it any faster to use cipher.exe to blank/randomize the unused space than
it is to just encrypt the whole drive?  I’m asking, not arguing.

 

Do you just run that as the last step in the OSD process?  My primary goal
is to not have to wait very long for encryption to finish before the
computer can be used, but make sure encryption finishes in the background in
a reasonable time and then reports up that it’s fully encrypted status to
MBAM.  I don’t care too much if it is not fully encrypted when I give it to
the user, but I do want it to be fully encrypted within a day or so.

 

What would fit my needs best is if there were a way to do an “encrypt used
only” during OSD and then flip a switch so that bitlocker goes back and
encrypts the rest of the drive (whole drive) later in the background.
Finally when it is at 100% it can report to MBAM that it is encrypted.  

 

Is your goal to be 100% encrypted before you let a user onto the machine?

 

 

 

 

listsadmin@lists.myitforum.com <mailto:listsadmin@lists.myitforum.com>
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Daniel Ratliff
Sent: Tuesday, May 26, 2015 9:33 AM
To: mdt...@lists.myitforum.com <mailto:mdt...@lists.myitforum.com> 
Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

Our security team had similar concerns and accepted running the cipher
command before encrypting to wipe the all data. 

 

Cipher.exe /w:c:\

 

Daniel Ratliff

 

From: listsadmin@lists.myitforum.com <mailto:listsadmin@lists.myitforum.com>
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Miller, Todd
Sent: Tuesday, May 26, 2015 10:24 AM
To: mdt...@lists.myitforum.com <mailto:mdt...@lists.myitforum.com> 
Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

When pre-provisioning and encrypting used space only, remember there may be
previously unencrypted data that is recoverable on the drive from a previous
unencrypted OS installation - - as Michael mentioned “an empty drive” – that
is an important point. 

 

If you are concerned about data leaking out, you need to either start with a
securely cleaned disk (f-disk is not enough),  a  brand new disk, or a
previously wholly encrypted disk – otherwise you should  encrypt the whole
disk. 

 

I was thinking that the used space was going to be great, forgetting that
there would be a lot of chance for leakage if you are moving from an
unencrypted disk to an encrypted disk environment.   All the unencrypted
stuff from the disk’s previous installation will be left unencrypted in a
used only scenario.

 

 

From: listsadmin@lists.myitforum.com <mailto:listsadmin@lists.myitforum.com>
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Michael Niehaus
Sent: Monday, May 25, 2015 7:10 PM
To: mdt...@lists.myitforum.com <mailto:mdt...@lists.myitforum.com> 
Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

Remember too that Windows 7 encrypts every sector – encryption of used space
only was introduced with Windows 8.  Encrypting 500GB will certainly take a
while on a spinning drive.

 

Leveraging BitLocker Pre-Provisioning also enables used space only
encryption – that makes it instantaneous to turn on for an empty drive.

 

Thanks,

-Michael

 

From: listsadmin@lists.myitforum.com <mailto:listsadmin@lists.myitforum.com>
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Keith Garner (hotmail)
Sent: Monday, May 25, 2015 4:52 PM
To: mdt...@lists.myitforum.com <mailto:mdt...@lists.myitforum.com> 
Subject: RE: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

12 hours seems a bit excessive, however all of my machines have migrated
over to SSD drives, so I may not be the best judge of spinning drives.

 

The other alternative is to enable Bitlocker Pre-Provisioning from the
Windows 8.0/8.1 ADK. Basically, it will encrypt the drive but leave the
protectors “off”, if you have ever “suspended” Bitlocker, it’s similar. The
Bitlocker is just “ON” and there is no need to go through the lengthy
encryption phase. 

 

I’ve seen it work for Windows 7 SP1, and If you are using a product like
MBAM, it should utilize the encrypted state of the drive and enable the
protectors. 

 

From: listsadmin@lists.myitforum.com <mailto:listsadmin@lists.myitforum.com>
[mailto:listsadmin@lists.myitforum.com] On Behalf Of Bain.John
Sent: Monday, May 25, 2015 11:46 AM
To: mdt...@lists.myitforum.com <mailto:mdt...@lists.myitforum.com> 
Subject: [MDT-OSD] Bitlocker drive encryption process overly slow ?

 

Just curious to hear what others have seen in terms of whole drive
encryption.

 

Does 12 hours to encrypt 500 GB seem excessive ? 

 

This is to encrypt the drive post Windows 7 install.

 

John 

 

John Bain – CIC Engineering

Office: JETS C657 | Tel: 613-437-6829

365 Laurier Avenue West Ottawa ON K1A 1L1 | 365, avenue Laurier Ouest Ottawa
ON K1A 1L1

NHQ – Solutions and Information Management | AC - Direction générale des
solutions et de la gestion de l’information

Citizenship and Immigration Canada | Citoyenneté et Immigration Canada 

Government of Canada | Gouvernement du Canada

 

 

  _____  

Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential
and may be legally privileged.  If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited.  Please reply to the
sender that you have received the message in error, then delete it.  Thank
you. 

  _____  


The information transmitted is intended only for the person or entity to
which it is addressed
and may contain CONFIDENTIAL material. If you receive this
material/information in error,
please contact the sender and delete or destroy the material/information.

 

  _____  

Notice: This UI Health Care e-mail (including attachments) is covered by the
Electronic Communications Privacy Act, 18 U.S.C. 2510-2521, is confidential
and may be legally privileged.  If you are not the intended recipient, you
are hereby notified that any retention, dissemination, distribution, or
copying of this communication is strictly prohibited.  Please reply to the
sender that you have received the message in error, then delete it.  Thank
you. 

  _____