Re: Bitlocker and Linux

[Michael Butash]

I've been running disk encryption with luks on my own laptops since I stopped using windoze years ago, and it can have multiple unlock key slots, both for yourself, and corporate IT.  The only real deficiency is there isn't any centralized management for it natively, unless you're doing automation atop it with puppet, anisble, etc to rotate it with a script. From there, I just run a non-trusted windoze vm if I just need it as a visio hypervisor as usual, or I've found decent IT shops usually offer some sort of corporate install options for vm.  If no other reason to have one, the mac users still always just have to run fusion+windoze anyways for an office suite that doesn't suck and other win-only enterprise garbage.  I did this last year working for a large network vendor on contract, as they required windoze, win-only vpn, certs, posture analysis, and a ton of other windoze-only software suites, but they provided a winpe build disk that ran inside vm, and poof, out came a corporate blessed image to run on about anything.  Sadly It used so much ram by default, it actually ran better on my laptop or desktop where I could give it 12gb of my ram vs the crappy gimme laptop they handed me with 8gb.  I had to build it in vmware as their iso checked, but then just converted it to virtualbox and ran it there. Every time I would have to boot windoze for something, I'd just figure out/plan/plot how to replace it eventually.  Win admins usually hate to see me coming their way, but I can always meet their requirements to stay using linux.  I'm still down to only visio I simply haven't found a suitable replacement for yet. -mb On 10/17/2016 08:23 PM, Brien Dieterle wrote: I don't see anything there about centrally managed full disk encryption for Linux with bitlocker.  There are products out there but no way a shop is going to invest in multiplatform solution just for one person.  I would look at doing native Linux encryption (whatever the distro offers during installation) and turn the key over to IT.  That might satisfy the insurance requirement without having a managed solution for Linux. On Oct 17, 2016 7:50 PM, "Stephen Partington" <cryptwo...@gmail.com> wrote: Incorrect, I have done this with Ubuntu. It requires you to turn over the initial boot records to windows and use an application like EasyBCD to manage them. but it provides full bitlocker compatibility with Linux. See method 3 from this post for a baseline. http://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx I have done this with windows 7, Have not tried it with windows 10. On Mon, Oct 17, 2016 at 4:41 PM, Nathan England <nat...@nmecs.com> wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I asked my IT department a question today and may have opened pandora's box. I've been allowed to run Fedora on my company laptop for a couple of years now. I am using a personal hard drive for Fedora that way if I needed to I could put the original Windows drive back in and access what ever I needed. I haven't used my Windows drive in over a year now and it's causing some issues with corporate AD and the anti-virus. So I requested installing windows in a VirtualBox and having corporate IT join it to the domain, install av, office suite, and the other stuff I may need but likely never will use, and then I can easily boot it once a week to keep my av up to date. The response was that our insurance requires the use of Bitlocker. Full stop... Their potential solution is to partition the drive to have Windows and Linux but both be encrypted with Bitlocker so they could access the drive contents should I ever leave or die or what ever... I realize encrypting the linux partition with bitlocker is not likely ever going to happen (right?) but are there corporate linux systems that allow IT access to encrypted volumes like Bitlocker and AD? I feel dirty even asking this. Doesn't this defeat the entire purpose of encryption to begin with? ugh... I guess it makes sense, but it sounds like inferior by design. - -- ~~~~~~~~~~~~~~~~~~~~~~~~ Nathan England -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJYBWGMAAoJEOuk7+DwYjzgSIYH/3EtMISD68n5d88CX6XDctYT TcJLb00AVw5TvlK/+aLaMCu6EmkaZlDW+1KMk5pYvxV7MMhdPxKq1+tYbFh17JFG G7DWeXUvEC+tGUmy2fvhBGAyaBC5XWNiXkbmWq+g8D6yKzG90P9rjVn3bL7Yw8P3 8c/CyrncOF50yZieSedDgNPtfb2QWnPmaE0O43CcqTFihAN+5JSViV40YacCMTgS 0raKYspau6hbB9lnWg2ScQx0zIvFJvpIE0xwIYPkBDYGtitHm3YoTaFmv3KFsrV6 OV/X/EOdurtWdsTwxjM2b6qI7ng0P4/xuSdedoK4jH86AnaKZGTy4Ox4OOidCvU= =HOWo -----END PGP SIGNATURE----- --------------------------------------------------- PLUG-discuss mailing list - plug-disc...@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss -- A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button. Stephen --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss