Laptop encryption and Multiple users

C

ChedWick

Gawd
Joined
Sep 16, 2011
Messages
596
I'm curious how other in the IT field handle multi-user encryption access for things like laptops and how remote management is handled.

What we(my company and I) would like is the ability to have full disk encryption on our portable systems while also allowing multiple users to be able to login AND if possible have some means of remote management.

Basically we do a lot of work with the healthcare field and they seem to be moving toward laptops. In order to stay in compliance, laptop encryption is necessary, but some of these people who are getting computers are pretty damn computer illiterate. If you add an extra day to their weekend, they forget everything which makes remote management for encrypted computers a headache.

In the past we've used truecrypt but with the need for multiple users to login it probably wont suffice unless we give out a single password to everyone to unlock the encryption but if one person quits or gets fired you essentially have to change every machine's encryption header. More recently we've used HP protect tools which allows you to enroll a domain user into the encryption software but the need to have your hands physically on the machine to un-enroll them.

So what might be the standard operating procedure for things like this?
 
We previously used GuardianEdge, which was an FDE. Although the pre-boot authentication made it difficult, the performance hit was pretty hard, and the numerous compatibility issues with newer laptop models made it difficult to manage.

We then migrated over to Credant, which is an agent-based file encryption. It's been working great.

We have numerous multi-user workstations at various sites, and we have zero issues.
Part of that, though, could be that we are using a single encryption key per machine. We only use the System Data Encryption key; whereas the agent also offers User Data keys and Application Data keys to add the complexity that we didn't need.

I'm not sure if that will help, though I do not know how any of this compares to TrueCrypt. I've never used it, myself.

In our case, the encryption part of the device is centrally-managed. User accounts and access are solely based on AD; there's no additional steps we have to take on the machines themselves.
 
Why not use Bitlocker with AD Integration? If the computers have a TPM on them this is remarkably easy to setup with GPOs.
 
I deployed Credant a few years ago on 800 laptops. It was pretty painless and worked well.
 
Good to know, i was just told i have to support 2 laptops for events and of course the people want ALL their desktop data on it as well, with no concept of what happens is:

1. got stolen
2. got lost
3. you damaged it and drive died..


And one person has already had 1 laptop stolen.


Diakiaoshinsama said:
Why not use Bitlocker with AD Integration? If the computers have a TPM on them this is remarkably easy to setup with GPOs.
Click to expand...

can you configure how long credentials stay cached though?

if they are out of the office for 1-2 weeks the saved AD login info could expire and then they cant login...
 
You must log in or register to reply here.
Back
Top