Re: [Fed-Talk] Shawn Geddis, Can you help a brother out? issue: Macs at my office are going away because PIV/CAC authorization not supported at boot up i.e. like bitlocker.
Re: [Fed-Talk] Shawn Geddis, Can you help a brother out? issue: Macs at my office are going away because PIV/CAC authorization not supported at boot up i.e. like bitlocker.
- Subject: Re: [Fed-Talk] Shawn Geddis, Can you help a brother out? issue: Macs at my office are going away because PIV/CAC authorization not supported at boot up i.e. like bitlocker.
- From: "Blumenthal, Uri - 0553 - MITLL" <email@hidden>
- Date: Wed, 20 Jun 2018 18:28:55 +0000
- Thread-topic: [Fed-Talk] Shawn Geddis, Can you help a brother out? issue: Macs at my office are going away because PIV/CAC authorization not supported at boot up i.e. like bitlocker.
On 6/20/18, 13:26, "Fed-talk on behalf of Miller, Timothy J."
<fed-talk-bounces+uri=email@hidden on behalf of
email@hidden> wrote:
That's native. There are 3rd party solutions with smartcard preboot
support.
E.g., and this is not a product endorsement:
https://secure-disk-for-bitlocker.com/features/#smart-card-support-for-bitlocker
As Jason pointed out before, there are 3rd-party solutions. This is one of them.
Here's a relevant quote from the site you referred to
https://secure-disk-for-bitlocker.com/pba-pre-boot-authentication-bitlocker/
As Microsoft BitLocker offers few sophisticated and user convenient
authentication
methods – the BitLocker protectors – we added additional protectors in
Secure Disk
for BitLocker. These protectors include an Active Directory credential
protector,
a smart card protector, a X.509 protector, a modern smartphone app for
authentication and multiple biometric options for user authentication.
Secure Disk for BitLocker is available as standard edition, offering
password and Active
Directory authentication. In its multi-factor edition, we support all
modern authentication
methods including PKI-token, smart card, biometric / fingerprint
authentication,
smartphone app authentication via USB cable or Bluetooth.
I don't know about you, but I'm not thrilled about having my pre-boot dependent
on network connection being up and Active Directory being present. Especially
since BitLocker is less relevant for desktops that (almost?) never leave the
office. Who knows what kind of connectivity I might have when I boot my laptop
up?
Then, they boast secure boot without TPM. For Windows, I consider that a
disadvantage: if I have a TPM, why not use a derived credential, and protect
BitLocker key with it?
Then, somebody mentioned the complexity of managing this kind of solution, and
I wholeheartedly agree. KISS approach has always been my friend. ;-)
On 6/20/18, 11:20 AM, "Fed-talk on behalf of Levine, Jason (NIH/NCI) [E]"
<fed-talk-bounces+tmiller=email@hidden on behalf of
email@hidden> wrote:
But... how? Again, all documentation I can find (I've re-checked since
my earlier email) says that BitLocker does *not* support pre-boot
authentication with smartcards... it only allows smartcard decryption for
removable drives and non-system data drives (e.g., smartcard decryption *after*
the full OS has loaded, and critically, has loaded full support for the
smartcard driver/support stack).
Jason
Jason Levine, email@hidden
NCI CCR Associate Director for IT & Clinical Informatics
NCI CCR Pediatric Oncology Branch
(240) 276-5557
On 6/20/18, 12:04 PM, "Jacob, Raymond A Jr. CIV SPAWARSYSCEN-ATLANTIC,
59530" <email@hidden> wrote:
pre-boot
>> Are you using PIV at bitlocker pre-boot environment <<
-----Original Message-----
From: Lamb, John (NIH/NIDCD) [E] [mailto:email@hidden]
Sent: Wednesday, June 20, 2018 11:05 AM
To: Jacob, Raymond A Jr. CIV SPAWARSYSCEN-ATLANTIC, 59530
<email@hidden>
Subject: [Non-DoD Source] Re: [Fed-Talk] Shawn Geddis, Can you help
a brother out? issue: Macs at my office are going away because PIV/CAC
authorization not supported at boot up i.e. like bitlocker.
Are you using PIV at bitlocker pre-boot environment, or are they
allowing pre-boot bypass and relying on PIV login at the windows login window?
Because... that’s less secure than FV2 + PIV login at login window.
Thanks!
John Lamb
IT Specialist (Information Security)
Information Systems Management Branch
National Institute on Deafness and Other Communication Disorders
240-688-7017
email@hidden
http://www.nidcd.nih.gov
On 6/20/18, 10:55 AM, "Jacob, Raymond A Jr. CIV
SPAWARSYSCEN-ATLANTIC, 59530" <email@hidden> wrote:
Shawn:
Macs at my office are going away because PIV/CAC
authorization not supported at boot up i.e. like bitlocker.
New Girl help a brotha out
https://www.youtube.com/watch?v=7szxqhSCgOw
Thank you
Raymond
PS: I think the next battle front is TPM vs SEP but that fight
is for another day.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden