AbolinsJanis Contributor.
Contributor.
2010 views

Simple ZENworks FDE

Hello,

Slowly getting to know ZENworks offered encryption possibilities.
So in testing process arose few question about ZENworks encryption.

First let's see what have I done so far:

1) FDE without PBA user:
FDE applied on computer HDD. Encryption process encrypted HDD.
When Windows OS loads, it decrypt HDD and user can log into local user.
User does not even know, that there is FDE enabled on there computer....
2) FDE with PBA user:
I create FDE policy, where i can indicate what PBA user should be:
Example: Username Janis_Abolins, Password *********
User cant change those authentification crendentials.
Everytime user needs to point those crendentials, before he can load Windows OS and log into computer.
3) FDE with PBA user+capturing
When FDE is applied on computer, it restarts system.
When local user logs in, ZENworks encryption agent creats(Capture User) from those crendentials PBA user.
If my local user was Janis_Abolins with pasword 1234qwer, it creates PBA user Janis_Abolins with password 1234qwer.
Password syhronisation happens, when local user changes password:
*After password for local user is changed, you need to restart pc.
*At Pre-boot login screen you will need to use old PBA user password.
*Then log into local user with new password.
*Then ZENworks encryption agent sync passwords.

Q:
How secure is simply encrypted HDD with ZENworks FDE without PBA user? Try to mount HDD to other system - It shows file system is not recognize and asks to formate HDD. But is it secure enough?

Is it possible to make ZENworks encryption agent synhronize passwords between PBA user and Local User in process when local user changes his local user password? Whitout restarts, relogins etc...

What exactly is writen down in ERI file? Hardware id?

Best Regards,
Janis Abolins
0 Likes
2 Replies
Anonymous_User Absent Member.
Absent Member.

Re: Simple ZENworks FDE

AbolinsJanis,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

These forums are peer-to-peer, best effort, volunteer run and that if your issue
is urgent or not getting a response, you might try one of the following options:

- Visit http://www.novell.com/support and search the knowledgebase and/or check
all the other self support options and support programs available.
- Open a service request: https://www.novell.com/support
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
- You might consider hiring a local partner to assist you.
https://www.partnernetprogram.com/partnerfinder/find.html

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

Sometimes this automatic posting will alert someone that can respond.

If this is a reply to a duplicate posting or otherwise posted in error, please
ignore and accept our apologies and rest assured we will issue a stern reprimand
to our posting bot.

Good luck!

Your Novell Forums Team
http://forums.novell.com


0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Simple ZENworks FDE

AbolinsJanis;2423683 wrote:
Hello,

Slowly getting to know ZENworks offered encryption possibilities.
So in testing process arose few question about ZENworks encryption.

First let's see what have I done so far:

1) FDE without PBA user:
FDE applied on computer HDD. Encryption process encrypted HDD.
When Windows OS loads, it decrypt HDD and user can log into local user.
User does not even know, that there is FDE enabled on there computer....
2) FDE with PBA user:
I create FDE policy, where i can indicate what PBA user should be:
Example: Username Janis_Abolins, Password *********
User cant change those authentification crendentials.
Everytime user needs to point those crendentials, before he can load Windows OS and log into computer.
3) FDE with PBA user+capturing
When FDE is applied on computer, it restarts system.
When local user logs in, ZENworks encryption agent creats(Capture User) from those crendentials PBA user.
If my local user was Janis_Abolins with pasword 1234qwer, it creates PBA user Janis_Abolins with password 1234qwer.
Password syhronisation happens, when local user changes password:
*After password for local user is changed, you need to restart pc.
*At Pre-boot login screen you will need to use old PBA user password.
*Then log into local user with new password.
*Then ZENworks encryption agent sync passwords.

Q:
How secure is simply encrypted HDD with ZENworks FDE without PBA user? Try to mount HDD to other system - It shows file system is not recognize and asks to formate HDD. But is it secure enough?

Is it possible to make ZENworks encryption agent synhronize passwords between PBA user and Local User in process when local user changes his local user password? Whitout restarts, relogins etc...

What exactly is writen down in ERI file? Hardware id?

Best Regards,
Janis Abolins



While PBA adds another layer of Encryption, it should still be considered secure without it.

No, the Passwords are synchronized during the logon process.

The ERI file is used to help recover the system in the event of some type of OS Failure or possible other scenario. The ERI file cannot be used between systems. Only the most recently generated ERI file is usable to recover the system.
The ERI files cannot be manually generated after the fact to attempt to recover a system if one does not have the most recent one.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.