stoolpigeon's Journal: travel, locking down laptops

Just got home from a week in Chicago. I didn't get a direct flight, but went through Detroit. On the legs from Orlando to Detroit, and Detroit back to Orlando I was upgraded to first class. I've never flown up there before and I have to say it was very, very nice. It's just a 2 hour flight, so it's not that big a deal, but it was still pretty cool. I did enjoy it.
 
In the Chicago area, myself and a few other people had the task of securing almost exactly 100 laptops. We worked our tails off to get it done, and I'm pretty exhausted. It really came down to the wire and there just wasn't much time to sleep if we wanted to get it all done.
 
I'm not going to go into all we did but I thought folks might find a couple things interesting. Last year I'd say two thirds of the machines were running windows, and one third were macs. This year it was much, much closer to fifty-fifty. This means I spent a lot more time working on Macs this year. Hated pretty much every moment of it.
 
On Windows we do full disk encryption with TrueCrypt. I am a big, big fan of that product. Unfortunately I found out that on some newer HP/Compaq machines - encrypting the full hard drive will pretty much kill the machine. I'm not 100% sure why, we didn't have time to completely figure it out. But I feel pretty confident it's related to the BIOS doing something with the hard drive, which is completely idiotic. The machines that gave us trouble had 4 partitions on them, the WinRE partition, the system partition, a recovery partition and a "tools" partition.
 
If we encrypted the full disk, the machine would start and then just lock up. We couldn't even open up the BIOS options to change the boot order. We had to remove the drive, put it into another machine that we could boot and then unencrypt the drive. We then just encrypted the system partition and this worked fine.
 
My guess is the BIOS looks at the "tools" partition at some point and fails if it doesn't find it. I will do more research on it now that I'm home because that seems completely stupid. I'm not a big fan of their stuff anyway but this is something I'll actively avoid as I run TrueCrypt on my personal machines.

Macs

[pudge]

At least with Macs you don't have to worry about the stupid BIOS. :-)

Re:

[stoolpigeon]

We have to do everything with free (as in beer software) so the Macs really don't end up nearly as secure as the Windows machines. We create a Sparse image and encrypt that, then we try to move everything sensitive into it. (TrueCrypt can't do full disk encryption on Mac).

There are some other things that don't really work out as we would like best either. But we don't really have better options that are workable on that platform.

TrueCrypt?

[eldiabloencarne]

If I have it right, "truecrypting" the entire disk just makes the bios ( or any disk utility for that matter, so something like cfdisk won't help) see only one big partition, as opposed to the four it is expecting. This vaguely reminds me of that old disk compression system used by Microsoft way back in the early 90s (Stacker?) where the entire system was basically just one big file on the disk. If any part of it became corrupted, the entire thing was toast. Sounds like the solution you found is the only on