I'm looking at various Endpoint Encryption products and one of them is Microsoft BitLocker.
Could you please share your personal experience and let me know the pros and cons of this Microsoft product?
Microsoft Bitlocker comes free with Windows but it lacks a full-fledged GUI, i.e. those users without command-line experience will find it difficult to use. Also, the recovery key files are to be kept as plain text as unencrypted (not safe).
However, because of simplicity, the disk encryption and decryption processes are comparatively straightforward and hassleless if you know how to do it.
To enable remote connection upon booting a Bitlocker client, a network control server (Microsoft option) has to be set up for the purpose, while it then requires all clients to have UEFI DHCP functionality, i.e. MBR-booted clients cannot be connected. As to the speed of disk encryption/decryption, Bitlocker is among the best options available in the market with the process taking less than an hour or so for a common NVMe 512GB SSD.
The main Pro (vs other encryption products) is that BitLocker is native to the Microsoft operating system in Windows Pro & Enterprise. It isn't something that stands on top of the OS. It also will encrypt the entire drive. Some other products only encrypt specific files/folders.
Any encryption product will cause some level of drag on the operating system. It has been noticed that BitLocker has less of a drag than some other products depending on how encryption is deployed or employed. I recommend doing a proof of concept to be sure encryption does not affect your systems negatively.
If you just need to encrypt files or folders then other products may be a better fit. But first, you need to be able to answer, "So why do you want to encrypt your devices?"... If you don't have a compelling reason to encrypt your devices, maybe you shouldn't.
One of the major reasons to encrypt endpoint devices is regulatory reasons. I would recommend BitLocker for any healthcare, financial services, high security work, government work etc., especially on their mobile devices or desktop devices in unsecure areas. With regulatory issues you need to have management tools that will show you and the auditors that a specific device was "in fact encrypted" when it was lost or stolen. If you use BitLocker without a management tool then you cannot unencrypt if a user looses the key, and you cannot prove it was encrypted if lost or stolen. Keeping a spreadsheet of keys is a big No-No since it can also be stolen or compromised.
That being said there are a few different ways to manage Bit Locker and I think that is where there may be some room to look at other products. Management tools for BitLocker also encrypt your keys on the management server so they cannot be compromised.
1: Configuration Manager. If you are a full Microsoft shop and have invested in Software Assurance in your desktop operating system, have an Enterprise Agreement, Microsoft 365 or other agreement with Software Assurance then Configuration Manager may already be available to you. If so, use Microsoft to manage BitLocker: https://techcommunity.microsof...
Protect data & Infrastructure Microsoft doc: https://docs.microsoft.com/en-...
2: Sophos. Sophos has a management tool for BitLocker.
3: TrendMicro. Trend manages BitLocker in some of their solutions.
I am sure I am missing some others, and there may be other products that tout to be better, but be sure to ask yourself, "So why do you want to encrypt your devices?"
Out of the box, Bitlocker doesn’t meet FIPS 140-2 which is really the federal standard you should meet for encryption. You can set it up to meet FIPS 140-2, however, even at that, it only achieves FIPS 140-2 Level 1. You should look for products that meet Level 2 as a minimum.
I would also suggest doing a simple Google search for BitLocker hack. It’s quite amazing, and includes handy how to videos.Beyond that, there are BitLocker issues around boot sector corruption, password sync that create a lot of administrative overhead.
Also, you need to consider centralized management of a Bitlocker environment that allows for key management as well as audit trails for proof of encryption.
Hello @Usman Rasool, @Blanca Flores and @Jos-Katengwa,
Can you please assist @EwoudSpreeuwenberg?
Hi, we're planning to replace PGP with Microsoft BitLocker for our endpoints. What aspects should we take into consideration during this move?