My organization is getting ready to start looking at BigFix OS Deployment. A majority of our machines use Pointsec for full disk encryption.
I’m curious if there are any forum readers that are successfully using OS Deployment with any full disk encryption products.
My understanding is that OSD reboots the box after modifying the boot.ini, and then pushes/pulls an image, then reboots again. My concern is that after the first reboot the imager process doesn’t have access so it can only retrieve an image of the entire disk, without compression, and can only push to a single size disk (or waste some space)
Depending on how the capture and re-image are initiated, it’s possible to have no reboots or quite a few reboots. We’d need to get into more depth – are you thinking of doing this in a depot to new machines, or in the field on an individual basis?
Does the image need to remain encrypted with the same protocol, or is password protected sufficient? Currently our imaging engine does not enable users to create sector-by-sector (raw) images. It may work from within the Windows capture method (because the drive is decrypted for access). Or it may be possible to do from a PXE boot or CD boot, indirectly… if the imaging engine does not recognize the file system, then it will try to create the raw image by default. That raw image restore operation will have to tested in order to verify that it works, and then it will be necessary to test the raw image restore operation with an encrypted HDD image to see if it’s possible.
There are a few other questions which can impact things. For example, will the drive be visible for raw capture when it is locked? Some devices do not show up as disk drives until they are unlocked for access. Another concern is that the sectors themselves can be individually encrypted, in which case we won’t be able to access the data in those sectors.
None of these are insurmountable problems, but they do require investigation and (perhaps) additional development. Please advise.