Cycling and bicycle discussion forums. 
   Click here to join our community Log in to access your Control Panel  


Go Back   > >

Foo Off-Topic chit chat with no general subject.

User Tag List

Reply
 
Thread Tools Search this Thread
Old 04-21-08, 12:35 AM   #1
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Hate to ask this (tpm chip on motherboards)

I'm building a server for home for document archival. Of course, for security reasons, I want the server to encrypt its main drives as well as be able to boot up without requiring a password so family can access it when I'm not there. So, Windows Server 2008 + Bitlocker fits this purpose perfectly.

Enter the horror story. I cannot, for the life of me, find any way to find motherboards that have a TPM 1.2 chip on them. I searched Google, inconclusive (because the details on the board are so vague, I can't tell if the motherboard explicitly has this feature or not.) I checked out Intel's motherboards, and the several they touted with this functionality, when I hit various places like Newegg, they stated they were discontinued. Same with Tiger Direct.

Meh, I'm missing something, and its probably something very stupid.
mlts22 is offline   Reply With Quote
Old 04-21-08, 01:21 AM   #2
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,600
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
You can use the group-policy editor to turn on BitLocker encryption and use a USB dongle as the key rather than TPM...
DannoXYZ is offline   Reply With Quote
Old 04-21-08, 01:28 AM   #3
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by DannoXYZ View Post
You can use the group-policy editor to turn on BitLocker encryption and use a USB dongle as the key rather than TPM...
I'm doing that right now with a USB drive. However, anyone who grabs the dongle from the machine can unlock the machine, and I want it to boot even when I'm not home if there is a power failure in case family wants to use it.

The TPM + Bitlocker solves two problems. Keeping baddies out with whole disk encryption, and not having to require a password to boot a server, so it can restart after an update. The TPM keeps people from booting a CD and getting access to the stored data, while not forcing anyone on site to know a special password to boot the machine.

Last edited by mlts22; 04-21-08 at 01:39 AM.
mlts22 is offline   Reply With Quote
Old 04-21-08, 10:18 AM   #4
DannoXYZ 
Senior Member
 
DannoXYZ's Avatar
 
Join Date: Jul 2005
Location: Saratoga, CA
Bikes:
Posts: 11,600
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Well... all of the Intel Macs have TPM 1.2 if you want to use one of them. Why do you need such high-security on a home machine?
DannoXYZ is offline   Reply With Quote
Old 04-21-08, 12:01 PM   #5
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by DannoXYZ View Post
Well... all of the Intel Macs have TPM 1.2 if you want to use one of them. Why do you need such high-security on a home machine?
Its actually not too high security. I urge anyone and everyone who has a laptop to use some type of hard disk encryption. High security is my laptop that has to have a smart card and a passphrase to boot. Too many wrong password guesses, smart card zaps itself.

Couple reasons for this security. Here in Austin there is a crime ring working the rounds of stealing laptops and other computer parts (including people wandering around pretending to be lost in office buildings looking around for the right moment to lift something.) Once the laptop is stolen, its fenced to another criminal group that contacts the owner of the laptop via either anonymous remailers or SPIT (spam over internet telephony) and extorting money. The group will pretty tell the owner to cough up some thousands of dollars, or the data stored on the laptop will be lent to "friends" offshore for use for ID theft and directed phishing attacks.

Encrypting data on machines (desktop/laptop/server) ensure that a hardware theft is a hardware theft, and not a hardware + data + identity theft.

What I find ironic is that MS pushed hardware makers to have a TPM chip on everything they made post 2007. One year later, finding this security technology is quite rare unless buying a high end Dell, HP, or Lenovo laptop.

I consider encrypting one's machine (FileVault if on Macs, TrueCrypt if on Linux, or TrueCrypt/PGP/Bitlocker if on Windows) the same thing as locking the deadbolt on the door when leaving for the morning. Its even less of a hassle than that because the only time I even notice a hard disk encryption program is when I do a reboot and need to type one line of text.
mlts22 is offline   Reply With Quote
Old 04-21-08, 12:50 PM   #6
ItsJustMe
Seņior Member
 
ItsJustMe's Avatar
 
Join Date: Sep 2005
Location: Michigan
Bikes: Windsor Fens, Giant Seek 0 (2014, Alfine 8 + discs)
Posts: 13,017
Mentioned: 1 Post(s)
Tagged: 0 Thread(s)
Quoted: 33 Post(s)
If it boots up and allows its shares to be accessed without a password, what's the good of the encryption?

Just curous. I'm a long-time Truecrypt believer, and think anyone who has data that they care about stolen got what was coming to them for being lazy.
__________________
Work: the 8 hours that separates bike rides.
ItsJustMe is offline   Reply With Quote
Old 04-21-08, 04:21 PM   #7
mlts22 
Senior Member
Thread Starter
 
Join Date: Aug 2006
Bikes:
Posts: 998
Mentioned: 0 Post(s)
Tagged: 0 Thread(s)
Quoted: 0 Post(s)
Quote:
Originally Posted by ItsJustMe View Post
If it boots up and allows its shares to be accessed without a password, what's the good of the encryption?

Just curous. I'm a long-time Truecrypt believer, and think anyone who has data that they care about stolen got what was coming to them for being lazy.
I'm also a long time TrueCrypt user as well. For servers, Bitlocker is engineered for security, but with different goals as TrueCrypt. TrueCrypt is to protect against well nigh everything that comes at it, including the guys with the rubber hose. BitLocker makes some security compromises in return for some data recovery features which are needed in corporate IT. For example, BitLocker asks one to print out and save the volume AES key so you can manually enter that, in case of emergency. Its assumed that the user will store the AES key info in a locked location. On Active Directory domains, BitLocker can also store recovery keys in the Active Directory schema, allowing IT staff access to a laptop that was used by a terminated employee, for example.

What the TPM chip does with a Bitlocker system is first scan the MBR and first boot sectors to check if it matches a valid hash. Then, and only then, does it pass the volume key to the booting machine which allows it to decrypt, boot, and go online. If someone pulls the hard disk or tries to modify the boot loader (to try to put a keylogger on for storing the volume key somewhere), the TPM will catch the modified code and refuse to pass the key, requiring the drive to be unlocked either by a keyfile (stored on a USB flash drive in a secure place), or a manually punched in set of characters.

The advantage for a server: Attacks are limited to the logon screen and from remote (things which TrueCrypt can't protect against anyway). Someone can't just boot up a Knoppix CD, and use a copy of Ophcrack to pull out passwords. Someone can physically steal the server, but they would still be stuck trying to guess passwords by hand at the winlogon screen.

Bitlocker serves most business needs. It will keep a server at a remote location able to boot and be usable by employees who are not authorized to have admin rights, but yet keep data stored on the system and other volumes encrypted, inaccessible unless someone manages to get admin rights to the machine. Bitlocker is highly secure, and does not have any security holes that TrueCrypt doesn't have, but Bitlocker is engineered for recoverability so IT people can regain access to encrypted volumes. TrueCrypt is engineered with security in mind, and the only real way to have IT people recover an encrypted volume with a lost passphrase is for them (the IT staff) to have saved a header backup with a known passphrase beforehand.

If you want a passphase for booting, all TPM chips can have one enabled where if someone typos the passphrase wrong more than 5 times, the TPM will lock, and the drive contents will be inaccessible (until you manually unlock the drive with its main key).

I would recommend looking at the BitLocker wiki and MS's article (http://tinyurl.com/3y9frd) for further tech details.

To sum up: Bitlocker is akin to a pair of pliers, and TrueCrypt is akin to a pair of needle nose pliers. Both serve similar purposes, but they address needs for totally different people.
mlts22 is offline   Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -6. The time now is 11:04 PM.