Deployment Solution

We are considering full disk encryption either via software like Bitlocker or the Symantec solution, or possibly hardware drive encrytion.

I was wondering what considerations have to be taken if we go this route with DS Imaging of devices?  Is Ghost and then while still in PE drive access seemless or does something like hardware encryption limit what we can do or change our scope on how we image devices?

We use Symantec Disk Encryption/Universal Server here for our laptops/Surface tablets. We image the machine and then as part of the post-image deployment scripts we also include SDE and have it set to auto-encrypt as soon as the tech (or any domain account) logs in. It is fair to say that this process is automated and does not require much in the way of monitoring.

Thanks answers my question related to the Symantec solution.

Any experience with hardware encrypted drives or MS Bitlocker?  We are looking at various options and haven't decided on anything yet.

I have used Bitlocker and it seems to work fine, but isn't as convenient to centrally manage, but, hey, it is free. The recovery components (tokens) are managed through AD while Symantec uses the Universal Server, which is Linux based and pretty easy to configure/maintain. We tinkered with Bitlocker, but decided that SDE was easier to manage, better supported and has a long history of usage in the field.

As to your earlier question, I have never attempted encryption of a drive while in automation. Maybe someone else can chime in if they have done that.

Thanks for the information this is helpful we are not looking to encrypt during automation so no big deal there but using a hardware encrypted drive it will already be this way, so now just need to find someone who uses hardware encryption like opel drives to see what that experience is.

Also note...I think Ghost can image an encrypted drive, but it does so at the bit level instead of file level so a 100GB drive would yield a 100GB image. It grabs the whole drive and not just the data. I have no direct experience doing this, but have read about others attempting it. Just something else to ponder. Maybe someone else can chime in and offer a better explanation or experience.

Yeah that might not be best if we have varying size drives, I'm sure if no one else chimes in the vendors can get us answers if we go that direction.

The symantec or other third party option is looking the best if we have to do all currently deployed machines since we have pro and not enterprise windows on our machines, and would have to do a reimage to enterprise to use bitlocker, or drive swap to use hardware based.  Just trying to explore all options and see the pro's and cons of each.

We are happy with bitlocker, been running it for 4+ years now, but we are all Win7 Enterprise. I like that the keys are stored in AD and we don't have another layer to manage.