Is Altiris compatible with full encryption software?

book

Article ID: 180331

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server) Deployment Solution

Issue/Introduction

 

Resolution

Question
I am in the middle of a review of security products and solutions to protect data on mobile devices. Many of the products include "Full Disk Encryption" software. Are there any potential conflicts with our Altiris environment?

The way the products generally work:
  • The entire hard drive(s) of a computer are encrypted.
  • The boot sector of the primary boot device contains a "pre-boot" challenge.
  • Users enter an authorized password, allowing decryption to occur and the computer to start up normally.
  • Normal logon using Windows Security continues as before.

(You could think of this process as a secure power-on password scheme, with impact similar to setting a BIOS password.)

Answer
Full Disk Encryption products like PointSec cause many issues with the Altiris Software.

Deployment Server
Full Disk Encrption software encrypts the entire HDD. Both it and Altiris change the MBR. BootWorks will not work in such a scenario. PXE is required.

In order to image a computer that is encrypted, it must be unencrypted first.

Notification Server
The Altiris Agent and many of the Solution Tasks rely on automated tasks that utilize the local system account. If the user is not logged on, data is encrypted and these tasks will not run. Tasks would include: Basic Inventory, Software Delivery Tasks, App Metering Tasks, Inventory Tasks and so forth.

It is not clear if the tasks would attempt to run and fail or just not run.

Recovery

  • Recovery Solution (network mode) should work just fine with any encryption software.
  • Local Recovery and Local Recovery Pro should work fine with file-based encryption software as well as with software like Credant. Local Recovery and Local Recovery Pro will not work with full HDD encryption software.

Recovery Solution can back up and restore compressed and encrypted files. However, the initial snapshot performed in Linux (Local Recovery Product) and subsequent snapshots performed in Windows handle compressed and encrypted files differently. As a result, files that are compressed or encrypted before the Recovery Agent is installed will be backed up twice. If you have many compressed or encrypted files, this will take double the space to store snapshots of those files. We recommend that you turn compression and encryption off (or limit it to a small number of files) before you install the Recovery Agent. After the Recovery Agent is installed and the first snapshot is taken, you can turn
compression and encryption on, and the Recovery Agent will make only one backup of those files.

Note that you cannot restore encrypted files to drives using FAT or FAT32. A user can restore encrypted files on FAT partitions. Because these files are restored in raw encrypted form, the user cannot read them. To convert restored files from the raw encrypted form into the regular encrypted form, the user can use the EFSCONV utility. After the files are converted, the user can access the converted files, but only if they had access to the files before the backup.

EFSCONV can be used to convert raw encrypted files restored by Web-based File Recovery. EFSCONV can also be used when the Recovery Agent failed to apply the "encrypted" attribute to a restored file (for example when there is not enough space to create the regular encrypted file). In this case the restored file remains in raw encrypted form and the user can use EFSCONV to convert it to the regular encrypted form. Efsconv.exe is located on the Recovery Solution Sever at C:\Program Files\Altiris\Recovery Solution\Console. You can also access it through the Altiris Console on the Tasks tab under Tasks > Incident Resolution > Recovery Solution > Convert Encrypted Files on FAT Partitions.

To convert encrypted files on FAT partitions:

  1. Restore encrypted files to a FAT partition, or use the Web-based File
    Recovery.
  2. Enter the following command at the command prompt: EFSCONV.EXE
    <restored raw file path> <destination file path>

Note: The destination path must be on NTFS partition.

Additional Info
Several companies run Pointsec on every laptop and some desktops in their organization. Inventory Solution, Software Delivery Solution, and other tasks (6.x) like that work just fine. The one thing that doesn't play nice is an embedded BootWorks partition. They were working with the Pointsec, but it's uncertain where they got.

Anything that needs direct access to manipulate the disk won't work such as embedded BootWorks for Deployment Solution or Local Recovery Solution. All other solutions should work as the drivers should then be loaded and, from an operating system perspective, there are no issues with accessing the disk—which is what Inventory Solution, Software Delivery Solution, Patch Management Solution, and so on would be doing. The only other issue would be imaging due to disk access regardless of using embedded BootWorks or not.

Another company was trying to use Safeboot. We have had limited success with imaging and turning on and off encryption before and after imaging jobs. Pretty much we now deliver and image and run a job to start Safeboot. After Safeboot is installed, we have to run a Safeboot admin job to allow access for anything that requires a reboot (that is, Patch Management Solution) or the computer hangs and needs human intervention (password being entered) before we can proceed with patching or imaging.