Simplest Encryption Software for small office

[lan101]

I really haven't setup encryption too much in the past. I have a small office that needs to what they say "get compliant". I really don't know what that means yet. They are supposed to send me a spec sheet on it but he mentioned encrypted drives were one of the requirements they wanted.

This is just a small financial office so the simpler it can be the better. I was thinking just bitlocker but not sure if all their pc's are win10 pro. I know for sure 2 of them are and they got 5 computers total. If they don't want to upgrade those to pro I was thinking something like Axcrypt would work well. It seems simple enough.

Just wondered any thoughts on this from anyone who sets this up a lot with businesses. I don't have to deal with hipaa and all that so kinda unfamiliar territory for me.

Thank you.

 

[nerd2u]

With encryption just make sure you have a way to recover, nothing worse then a half assed encryption installation that fails and no one has any way to recover.

Are they looking for simple or cheap?

Have used McAfee endpoint encryption before it's stupid simple for end users but not cheap

Sent from my SM-G870W using Tapatalk

 

[lan101]

I think they are fine with spending some money for it...so I'd say simplicity would be certainly more important. I saw some reviews on some of the free stuff out there and many were saying they lost everything no recovery etc...lol...yeah certainly don't want that. I will lookup Mcafee endpoint encryption. What was cost per machine if you remember? Thank you.

 

[SAFCasper]

Pre Windows 10 / Bitlocker we always used Symantec Endpoint Encryption. Good product and never caused us any issues. Also didn't seem to have any performance hit whereas some free options like TrueCrypt you could really feel the difference.

Unfortunately they have practically priced themselves out of the market for me. It comes in around £130-140 per licence with 1 year of upgrades/support. I can get an OEM Windows 10 Pro licence for less and upgrade to enable BitLocker.

 

[Your PCMD]

I would not recommend any free programs, especially for sensitive data. As far as the "paid" software, with the better ones out there, they tend to be more expensive than to just go through with Windows 10 Pro and Bitlocker. If you have clients on non pro systems, would it be worth to pay the $99 and just upgrade them to Pro? Seems that would be the better deal in terms of cost. Plus, with Bitlocker, you can secure the key multiple ways but I lean towards linking it to a Microsoft account.

 

[nerd2u]

I don't have any idea the cost this was for a huge multi national PC well over 20 000 endpoints so I'm assuming they were getting a good deal.

Sent from my SM-G870W using Tapatalk

 

[freedomit]

We use Sophos Central for some customers. It’s essentially just a Bitlocker Managment tool but allows key recovery and status reporting from a central dashboard which is nice.

 

[fencepost]

As a quick note, my experience with Bitlocker is that (as with so much else) it's much more noticeable on non-SSD drives. If encrypting drives, consider also replacing with SSD at the same time.

 

[YeOldeStonecat]

Just some tips to help with ":compliance".
*It's better to have an ecryption system that is managed/monitored, in other words..."checks in" frequently to the management dashboard. Reason being, you have PROOF that the laptop was in a healthy state of encryption at the time it got lost/stolen. You can't PROVE IT if you use stand alone encryption. Say you encrypted it today..and then 9 months from now the laptop was stolen. You have no proof....the state attorneys office could say the laptop might have been formatted/rebuilt somewhere between there.
*It's better to have full disk encryption. This way there is no question about sensitive documents maybe being kept outside of designed encrypted folders if you only encrypt certain folders.
*Like Fence mentioned above...best to use solid state drives. I have found BitLocker to be "very light" on performance impact. However...software disk encryption puts a heavy load on drives. You feel it more on rotating spindle drives. And it will create a very high rate of failure on spindle drives.

 

[Markverhyden]

Bitdefender Gravity Zone also has FDE. And from what I remember it in the GZ control panel so it's managed.

 

[fencepost]

It's better to have an ecryption system that is managed/monitored, in other words..."checks in" frequently to the management dashboard. Reason being, you have PROOF that the laptop was in a healthy state of encryption at the time it got lost/stolen. You can't PROVE IT if you use stand alone encryption.

Have you come up with any good ways to monitor that via N-Central? I haven't looked hard, but I don't remember seeing anything like that.

 

[nlinecomputers]

Just some tips to help with ":compliance".
*It's better to have an ecryption system that is managed/monitored, in other words..."checks in" frequently to the management dashboard. Reason being, you have PROOF that the laptop was in a healthy state of encryption at the time it got lost/stolen. You can't PROVE IT if you use stand alone encryption. Say you encrypted it today..and then 9 months from now the laptop was stolen. You have no proof....the state attorneys office could say the laptop might have been formatted/rebuilt somewhere between there.
*It's better to have full disk encryption. This way there is no question about sensitive documents maybe being kept outside of designed encrypted folders if you only encrypt certain folders.
*Like Fence mentioned above...best to use solid state drives. I have found BitLocker to be "very light" on performance impact. However...software disk encryption puts a heavy load on drives. You feel it more on rotating spindle drives. And it will create a very high rate of failure on spindle drives.

So if you use Bitlocker and you are on a domain does that not get monitored by the DC? Is there a check you can do on a PC to confirm BL status?

 

[YeOldeStonecat]

Have you come up with any good ways to monitor that via N-Central? I haven't looked hard, but I don't remember seeing anything like that.

I haven't looked in N-Central...I do recall someones post in one of the IT FB groups...they did create some script that tickled something in N-Central. Haven't looked in their forums either. You can have a GPO that manages that.

 

[YeOldeStonecat]

So if you use Bitlocker and you are on a domain does that not get monitored by the DC? Is there a check you can do on a PC to confirm BL status?

Without being on a domain with a DC thus GPOs...I don't know of a way, I'd probably look for some managed 3rd party service. Eset has one, or I used to use AlertSec.

 

[fencepost]

I haven't tried forcing Bitlocker via GPO, just had it log the key and such into AD for the computer. The problem with that is that it saves the key when Bitlocker is turned on, but I'm not so sure that gets cleared if Bitlocker is turned back off or never finishes encrypting. Not sure how I feel about encrypting-via-policy.

There's at least one person who put together a Powershell script to check the status and email if it's off, so that could likely be a starting point for something different - reporting as a custom value into an RMM, heck even just submitting a bit of information to a form submission URL daily (MAC, name, internal IP, domain, logged in user?, drive letter, encryption status).

Edit: Forgot to include links, https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/25/powershell-and-bitlocker-part-1/ and https://stackoverflow.com/questions...pt-to-check-bitlocker-status-and-email-if-off

If you need to upgrade the installed version of Powershell, see https://docs.microsoft.com/en-us/po...stalling-windows-powershell?view=powershell-6 for a table with links to the installers for everything from version 3 to 5.1 and links elsewhere for 6

 

[nlinecomputers]

Without being on a domain with a DC thus GPOs...I don't know of a way, I'd probably look for some managed 3rd party service. Eset has one, or I used to use AlertSec.

Sorry I was unclear. You implied that even on a DC there was no way to monitor. If the DC can monitor it than I can write a script call for Solarwinds RMM.

 

[nlinecomputers]

I haven't tried forcing Bitlocker via GPO, just had it log the key and such into AD for the computer. The problem with that is that it saves the key when Bitlocker is turned on, but I'm not so sure that gets cleared if Bitlocker is turned back off or never finishes encrypting. Not sure how I feel about encrypting-via-policy.

There's at least one person who put together a Powershell script to check the status and email if it's off, so that could likely be a starting point for something different - reporting as a custom value into an RMM, heck even just submitting a bit of information to a form submission URL daily (MAC, name, internal IP, domain, logged in user?, drive letter, encryption status).

Edit: Forgot to include links, https://blogs.technet.microsoft.com/heyscriptingguy/2015/05/25/powershell-and-bitlocker-part-1/ and https://stackoverflow.com/questions...pt-to-check-bitlocker-status-and-email-if-off

If you need to upgrade the installed version of Powershell, see https://docs.microsoft.com/en-us/po...stalling-windows-powershell?view=powershell-6 for a table with links to the installers for everything from version 3 to 5.1 and links elsewhere for 6

Good find. That is something that can be modded to work with a RMM.