Re: Bitlocker and Linux

Top Page
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Stephen Partington
Date:  
To: Mike Butash, Main PLUG discussion list
Subject: Re: Bitlocker and Linux
I know that my company is moving everyone to Lucidchart, and it is ok. It
covers most of my needs save one that is from a different application that
requires visio to run.

On Tue, Oct 18, 2016 at 10:08 AM, Michael Butash <> wrote:

> I've been running disk encryption with luks on my own laptops since I
> stopped using windoze years ago, and it can have multiple unlock key slots,
> both for yourself, and corporate IT. The only real deficiency is there
> isn't any centralized management for it natively, unless you're doing
> automation atop it with puppet, anisble, etc to rotate it with a script.
>
> From there, I just run a non-trusted windoze vm if I just need it as a
> visio hypervisor as usual, or I've found decent IT shops usually offer some
> sort of corporate install options for vm. If no other reason to have one,
> the mac users still always just have to run fusion+windoze anyways for an
> office suite that doesn't suck and other win-only enterprise garbage.
>
> I did this last year working for a large network vendor on contract, as
> they required windoze, win-only vpn, certs, posture analysis, and a ton of
> other windoze-only software suites, but they provided a winpe build disk
> that ran inside vm, and poof, out came a corporate blessed image to run on
> about anything. Sadly It used so much ram by default, it actually ran
> better on my laptop or desktop where I could give it 12gb of my ram vs the
> crappy gimme laptop they handed me with 8gb. I had to build it in vmware
> as their iso checked, but then just converted it to virtualbox and ran it
> there.
>
> Every time I would have to boot windoze for something, I'd just figure
> out/plan/plot how to replace it eventually. Win admins usually hate to see
> me coming their way, but I can always meet their requirements to stay using
> linux. I'm still down to only visio I simply haven't found a suitable
> replacement for yet.
>
> -mb
>
> On 10/17/2016 08:23 PM, Brien Dieterle wrote:
>
> I don't see anything there about centrally managed full disk encryption
> for Linux with bitlocker. There are products out there but no way a shop
> is going to invest in multiplatform solution just for one person. I would
> look at doing native Linux encryption (whatever the distro offers during
> installation) and turn the key over to IT. That might satisfy the
> insurance requirement without having a managed solution for Linux.
>
> On Oct 17, 2016 7:50 PM, "Stephen Partington" <>
> wrote:
>
>> Incorrect, I have done this with Ubuntu. It requires you to turn over the
>> initial boot records to windows and use an application like EasyBCD to
>> manage them. but it provides full bitlocker compatibility with Linux.
>>
>> See method 3 from this post for a baseline. http://social.techne
>> t.microsoft.com/wiki/contents/articles/9528.how-to-multiboot
>> -with-bitlocker-tpm-and-a-non-windows-os.aspx
>>
>> I have done this with windows 7, Have not tried it with windows 10.
>>
>> On Mon, Oct 17, 2016 at 4:41 PM, Nathan England <> wrote:
>>
>>>
>>>
>>> I asked my IT department a question today and may have opened pandora's
>>> box.
>>>
>>> I've been allowed to run Fedora on my company laptop for a couple of
>>> years now. I am using a personal hard drive for Fedora that way if I
>>> needed to I could put the original Windows drive back in and access what
>>> ever I needed.
>>>
>>> I haven't used my Windows drive in over a year now and it's causing some
>>> issues with corporate AD and the anti-virus. So I requested installing
>>> windows in a VirtualBox and having corporate IT join it to the domain,
>>> install av, office suite, and the other stuff I may need but likely
>>> never will use, and then I can easily boot it once a week to keep my av
>>> up to date.
>>>
>>> The response was that our insurance requires the use of Bitlocker.
>>> Full stop...
>>>
>>> Their potential solution is to partition the drive to have Windows and
>>> Linux but both be encrypted with Bitlocker so they could access the
>>> drive contents should I ever leave or die or what ever...
>>>
>>> I realize encrypting the linux partition with bitlocker is not likely
>>> ever going to happen (right?) but are there corporate linux systems that
>>> allow IT access to encrypted volumes like Bitlocker and AD?
>>>
>>> I feel dirty even asking this. Doesn't this defeat the entire purpose of
>>> encryption to begin with? ugh... I guess it makes sense, but it sounds
>>> like inferior by design.
>>>
>>>
>>> - --
>>> ~~~~~~~~~~~~~~~~~~~~~~~~
>>> Nathan England
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> A mouse trap, placed on top of your alarm clock, will prevent you from
>> rolling over and going back to sleep after you hit the snooze button.
>>
>> Stephen
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list -
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>




--
A mouse trap, placed on top of your alarm clock, will prevent you from
rolling over and going back to sleep after you hit the snooze button.

Stephen
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss