Directory Services And FDE (Full Disk Encryption)

By Vince Lujan Posted May 29, 2019

How are directory services and FDE (full disk encryption) related? It’s a good question because, at first blush, it would seem that the two don’t really go together. One is focused on identity management, and the other is all about encrypting data on the system itself.

Interestingly, though, directory services and FDE are intimately connected. Most FDE solutions are implemented on a per user basis. So, when a user logs in to their machine, they are decrypting their storage volume based on their identity.

Let’s take a closer look below.

Traditional Directory Services Platforms and FDE

Historically, the go-to directory services platform has been Active Directory® (AD), created by Microsoft®. AD is an on-prem identity provider (IdP) for Windows® networks.

As many know, AD has historically struggled with non-Windows platforms. And, while it is possible to enable FDE for Windows systems from AD, there are significant challenges in managing the whole process as well as handling macOS systems.

Ideally, IT admins would be able to implement and manage FDE for Windows and macOS from the same platform—in a perfect world, their directory services solution. The solution would also allow for the secure escrow of recovery keys in the event that the user is locked out of their system. Why?

FDE Solutions Explained

FDE solutions such as BitLocker for Windows and FileVault 2 for macOS are gaining momentum largely because of the risk of data breaches and leaks. With the potential threat of stolen laptops and mobile devices, IT organizations are stepping up their data security efforts by ensuring that their hard drives are encrypted on their user machines.

FDE is perhaps the best way to protect user data while the system is at rest. Essentially, the storage volume is encrypted when the system is not in use and can only be decrypted when the correct user logs in (or with a recovery key).

The challenge is in enabling and managing FDE across macOS and Windows platforms and also securing the escrow of recovery keys without multiple solutions. An ideal solution would help to mitigate these challenges.

Fortunately, for organizations that are interested in managing FDE across platforms, a new generation of directory services is enabling this.

Directory-as-a-Service® and FDE

Called Directory-as-a-Service, this cloud directory can control systems with GPO-like functionality for not only Windows, but macOS and Linux® as well. Particularly, IT admins can remotely control a fleet of Windows and macOS systems to implement FDE.

More specifically, DaaS can enable BitLocker for Windows and FileVault 2 for macOS. Further, the cloud directory service has a built in secure vault to escrow recovery keys in case a user forgets their password or locks themselves out of their machine.

The end result is that IT admins can remotely implement FDE across their entire macOS and Windows fleet without anything on-prem. In fact, the Directory-as-a-Service platform can securely manage and connect users to virtually any IT resource from the cloud.

Learn More About Directory Services and FDE

Contact JumpCloud to learn more about directory services and FDE. You can also sign up for a free account and see how the Directory-as-a-Service platform can implement FDE for Windows and macOS from the cloud.

Everything JumpCloud has to offer is free for up to 10 users and there’s no time limit. So, don’t hesitate to test the full functionality of our cloud directory for as long as you need.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts