Full disk encryption (FDE) is one of the most critical security features to enable on your users’ systems. Realizing this, both Microsoft® and Apple® created FDE software for their respective operating systems. In this post, we will focus on Bitlocker, Microsoft’s FDE solution, and guide you on how to enforce FDE for Windows® systems.
What is Full Disk Encryption?
When enabled, FDE software like BitLocker encrypts the hard drive while its data is at rest. In order to unlock the drive for use — that is, decrypt it — the system’s user needs to enter their password. That way, if a bad actor steals a machine and removes the hard drive, they still cannot access the data stored on it.
As a failsafe, Bitlocker and other FDE software generally include some sort of recovery key that unlocks a drive in case an IT admin removes the drive from a damaged system or the user forgets their password. These keys need to be properly managed to ensure that the drive can be securely recovered later if need be, but more on that in a second.
Why FDE?
Over the years, many hackers have breached an organization because a stolen system or hard drive contained confidential information. By locking down the drive entirely, organizations prepare themselves for the worst and rest assured knowing their data is encrypted at-rest.
Additionally, several compliance regulations demand some form of disk encryption to meet requirements. Enforcing FDE for Windows (and other) systems ticks that major box on IT admins’ compliance checklist.
Enforcing FDE for Windows
Enabling Bitlocker
For Windows, IT admins can enable BitLocker fairly easily by means of a policy or software solution specific to managing Bitlocker. The process is generally straightforward; an admin chooses a Windows system (or group of systems), and turns on Bitlocker using one of these methods. By the next system reboot, Bitlocker encrypts the at-rest hard drive.
Managing Bitlocker
Although enforcing FDE on Windows systems is relatively easy, managing Bitlocker FDE after the fact is another story. Many FDE enablement software solutions can turn Bitlocker on, but ensuring that each system’s recovery key is available — such as in cases where the user forgets their password or some other issue occurs — is critical, and unfortunately, not always supported.
As a result, admins need to vault and protect these highly sensitive keys on an ongoing basis. Furthermore, as users update their passwords or new users gain access to the machines, recovery keys need to be continuously updated as well. This ongoing task means that a manual process won’t work effectively.
Finding the Right Solution to Manage Bitlocker
The right full disk encryption enforcement system should not only set the FDE policy at scale across a fleet of Windows machines but also manage the entire recovery key lifecycle with a secure key escrow vault. Unfortunately, most of the market’s popular Bitlocker management solutions usually only do one or the other, putting extra load on an IT admin’s plate. Beyond that, many of today’s IT environments contain both Windows and Mac® systems, so having a solution that can do the tasks mentioned above for both Windows and Mac would be truly ideal.
The good news is that a cloud directory services platform — JumpCloud® Directory-as-a-Service® — embeds this functionality into its solution, making it seamless for IT admins to enforce and manage BitLocker across their entire Windows fleet. As a bonus, the same cloud directory also handles the function for macOS® FileVault® 2.
Using JumpCloud to Enforce FDE
IT organizations can use JumpCloud’s Policies functionality to enforce FDE at scale across both Windows and Mac systems with just a couple clicks. JumpCloud then stores each recovery key securely in escrow with relation to the system it’s associated with so admins can easily leverage a recovery key if necessary.
Learn More
If you want to efficiently and effectively enforce FDE across your Windows (and Mac) fleets, please contact us to learn more. You can see the process in action by scheduling a free, personalized demo.