<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I know that my company is moving everyone to Lucidchart, and it is ok. It covers most of my needs save one that is from a different application that requires visio to run.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Oct 18, 2016 at 10:08 AM, Michael Butash <span dir="ltr"><<a href="mailto:michael@butash.net" target="_blank">michael@butash.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<p>I've been running disk encryption with luks on my own laptops
since I stopped using windoze years ago, and it can have multiple
unlock key slots, both for yourself, and corporate IT. The only
real deficiency is there isn't any centralized management for it
natively, unless you're doing automation atop it with puppet,
anisble, etc to rotate it with a script.</p>
<p>From there, I just run a non-trusted windoze vm if I just need it
as a visio hypervisor as usual, or I've found decent IT shops
usually offer some sort of corporate install options for vm. If
no other reason to have one, the mac users still always just have
to run fusion+windoze anyways for an office suite that doesn't
suck and other win-only enterprise garbage. <br>
</p>
<p>I did this last year working for a large network vendor on
contract, as they required windoze, win-only vpn, certs, posture
analysis, and a ton of other windoze-only software suites, but
they provided a winpe build disk that ran inside vm, and poof, out
came a corporate blessed image to run on about anything. Sadly It
used so much ram by default, it actually ran better on my laptop
or desktop where I could give it 12gb of my ram vs the crappy
gimme laptop they handed me with 8gb. I had to build it in vmware
as their iso checked, but then just converted it to virtualbox and
ran it there.</p>
<p>Every time I would have to boot windoze for something, I'd just
figure out/plan/plot how to replace it eventually. Win admins
usually hate to see me coming their way, but I can always meet
their requirements to stay using linux. I'm still down to only
visio I simply haven't found a suitable replacement for yet.<span class="HOEnZb"><font color="#888888"><br>
</font></span></p><span class="HOEnZb"><font color="#888888">
<p>-mb<br>
</p></font></span><div><div class="h5">
<br>
<div class="m_-3867776606598507941moz-cite-prefix">On 10/17/2016 08:23 PM, Brien Dieterle
wrote:<br>
</div>
<blockquote type="cite">
<p dir="ltr">I don't see anything there about centrally managed
full disk encryption for Linux with bitlocker. There are
products out there but no way a shop is going to invest in
multiplatform solution just for one person. I would look at
doing native Linux encryption (whatever the distro offers during
installation) and turn the key over to IT. That might satisfy
the insurance requirement without having a managed solution for
Linux.</p>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Oct 17, 2016 7:50 PM, "Stephen
Partington" <<a href="mailto:cryptworks@gmail.com" target="_blank">cryptworks@gmail.com</a>>
wrote:<br type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">Incorrect,
I have done this with Ubuntu. It requires you to turn
over the initial boot records to windows and use an
application like EasyBCD to manage them. but it provides
full bitlocker compatibility with Linux.</div>
<div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">See
method 3 from this post for a baseline. <a href="http://social.technet.microsoft.com/wiki/contents/articles/9528.how-to-multiboot-with-bitlocker-tpm-and-a-non-windows-os.aspx" target="_blank">http://social.techne<wbr>t.microsoft.com/wiki/contents/<wbr>articles/9528.how-to-multiboot<wbr>-with-bitlocker-tpm-and-a-non-<wbr>windows-os.aspx</a></div>
<div class="gmail_default" style="font-family:"trebuchet ms",sans-serif"><br>
</div>
<div class="gmail_default" style="font-family:"trebuchet ms",sans-serif">I
have done this with windows 7, Have not tried it with
windows 10.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mon, Oct 17, 2016 at 4:41 PM,
Nathan England <span dir="ltr"><<a href="mailto:nathan@nmecs.com" target="_blank">nathan@nmecs.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">-----BEGIN
PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
<br>
I asked my IT department a question today and may have
opened pandora's<br>
box.<br>
<br>
I've been allowed to run Fedora on my company laptop
for a couple of<br>
years now. I am using a personal hard drive for Fedora
that way if I<br>
needed to I could put the original Windows drive back
in and access what<br>
ever I needed.<br>
<br>
I haven't used my Windows drive in over a year now and
it's causing some<br>
issues with corporate AD and the anti-virus. So I
requested installing<br>
windows in a VirtualBox and having corporate IT join
it to the domain,<br>
install av, office suite, and the other stuff I may
need but likely<br>
never will use, and then I can easily boot it once a
week to keep my av<br>
up to date.<br>
<br>
The response was that our insurance requires the use
of Bitlocker.<br>
Full stop...<br>
<br>
Their potential solution is to partition the drive to
have Windows and<br>
Linux but both be encrypted with Bitlocker so they
could access the<br>
drive contents should I ever leave or die or what
ever...<br>
<br>
I realize encrypting the linux partition with
bitlocker is not likely<br>
ever going to happen (right?) but are there corporate
linux systems that<br>
allow IT access to encrypted volumes like Bitlocker
and AD?<br>
<br>
I feel dirty even asking this. Doesn't this defeat the
entire purpose of<br>
encryption to begin with? ugh... I guess it makes
sense, but it sounds<br>
like inferior by design.<br>
<br>
<br>
- --<br>
~~~~~~~~~~~~~~~~~~~~~~~~<br>
Nathan England<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1<br>
<br>
iQEcBAEBAgAGBQJYBWGMAAoJEOuk7+<wbr>DwYjzgSIYH/3EtMISD68n5d88CX6XD<wbr>ctYT<br>
TcJLb00AVw5TvlK/+aLaMCu6EmkaZl<wbr>DW+1KMk5pYvxV7MMhdPxKq1+tYbFh1<wbr>7JFG<br>
G7DWeXUvEC+tGUmy2fvhBGAyaBC5XW<wbr>NiXkbmWq+g8D6yKzG90P9rjVn3bL7Y<wbr>w8P3<br>
8c/CyrncOF50yZieSedDgNPtfb2QWn<wbr>PmaE0O43CcqTFihAN+5JSViV40YacC<wbr>MTgS<br>
0raKYspau6hbB9lnWg2ScQx0zIvFJv<wbr>pIE0xwIYPkBDYGtitHm3YoTaFmv3KF<wbr>srV6<br>
OV/X/EOdurtWdsTwxjM2b6qI7ng0P4<wbr>/xuSdedoK4jH86AnaKZGTy4Ox4OOid<wbr>CvU=<br>
=HOWo<br>
-----END PGP SIGNATURE-----<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail
settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="m_-3867776606598507941m_6066813521725494958gmail_signature" data-smartmail="gmail_signature">A mouse trap, placed on
top of your alarm clock, will prevent you from rolling
over and going back to sleep after you hit the snooze
button.<br>
<br>
Stephen<br>
<br>
</div>
</div>
<br>
------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.or<wbr>g</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/mail<wbr>man/listinfo/plug-discuss</a><br>
</blockquote>
</div>
</div>
<br>
<fieldset class="m_-3867776606598507941mimeAttachmentHeader"></fieldset>
<br>
<pre>------------------------------<wbr>---------------------
PLUG-discuss mailing list - <a class="m_-3867776606598507941moz-txt-link-abbreviated" href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">PLUG-discuss@lists.phxlinux.<wbr>org</a>
To subscribe, unsubscribe, or to change your mail settings:
<a class="m_-3867776606598507941moz-txt-link-freetext" href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a></pre>
</blockquote>
<br>
</div></div></div>
<br>------------------------------<wbr>---------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.<wbr>org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" rel="noreferrer" target="_blank">http://lists.phxlinux.org/<wbr>mailman/listinfo/plug-discuss</a><br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">A mouse trap, placed on top of your alarm clock, will prevent you from rolling over and going back to sleep after you hit the snooze button.<br><br>Stephen<br><br></div>
</div>