2

Is it possible to use imaging tools (e.g. Acronis Snap Deploy, or possibly SystemImager) to deploy workstation images to laptops that have PGP full disk encryption? How could I go about doing this? The specific FDE tool we use right now is Symantec's but I don't mind switching if I have to.

mortabis
  • 64
  • 6

2 Answers2

1

I had previously wanted to do this when we were deploying new laptops and the conclusion I came to was that it is not worth it, but it is possible. In Symantec (Ghost?), PxE boot the encrypted laptop and create a RAW image of the disk. Since everything on the drive is encrypted you have to copy the whole drive which I didn't end up going this way. Even if you have crap laptops, copying an entire 80 GB HDD is going to take a while and put a lot of stress on your network.

Side thought - Maybe you could create the image with as small a partition you can possibly make work then expand it after you deploy to another PC.

This is why we have unencrypted preconfigured images and use BitLocker.

Spencer5051
  • 301
  • 2
  • 4
  • 1
    Another issue with RAW images is that every workstation will use the same encryption key. – Nitz Jul 16 '14 at 15:16
  • Yes the issue with sending out the already-encrypted image is that each employee has his own PGP key. My plan is to keep only a small partition for the actual OS install, perhaps 30GB, with the rest of the space mounted to C:\Users\. Then only the OS partition would be imaged and the home directories would be preserved. – mortabis Jul 16 '14 at 15:19
0

I have looked into this repeatedly. We eventually settled on using Bitlocker so that is where most of my experience lies but I checked out PGP's full disk encryption as well.

The big thing that caught my attention was not being able to use TPM hardware easily via a preencyrpted image. My suggestion is to automate the last step of your image process to perform your encryption. PGP has a silent install option that would work well here.

Another added benefit of going this route is if you need to apply updates before you distribute your systems you have a window during which you can reboot freely without needing to enter the key.

Tim Brigham
  • 15,545
  • 10
  • 75
  • 115