1 2 Previous Next 12 Replies Latest reply on Apr 28, 2009 6:17 AM by SafeBoot

    Build 5600 Ref 5600.3

      I was reading the release notes for Build 5600 when I spotted this :-

       

      5600.3 Error: [e0020008]: Error writing disk sector ‐ when volume is mounting as directory on C Drive
      Some systems have one hard drive, which is divided into three volumes. The first
      volume is mounted as drive C, the second as drive D, and the third is mounted as a
      subdirectory under the C Drive. The status window would show that there were 2 C
      Drives and 1 D Drive.
      If an install set was created with the default options an administrator will find an
      error in the log when it is attempting to install boot protection. The error would be
      “Error [e0020008]: Error writing disk sector”.
      The partitions mounted as a directory will now be ignored. It will not be possible to
      encrypt these partitions, but encryption of "standard" partitions will be possible.


      I've encrypted several machines with partitions mounted in empty directories and it has worked fine. I managed not to freak out at the fact that I appeared to have two C drives and 5 E drives happy I was quite impressed that EE coped with this sort of thing. So, as you can imagine, I'm not over th moon that someone has effectively prevented me from rolling out the new build. However, I did notice the bit about 'default options' so I was wondering if there is still a way to encrypt mounted volumes?

      Mike
        • 1. RE: Build 5600 Ref 5600.3
          you may have thought they were encrypted, but it's doubtful they really were.

          EEPC converts the partition name to a sector range, so any disk space related to a link would never get touched. Only the sectors related to the disks with proper letters get encrypted.

          I think this is mentioned in more detail in the release notes?
          • 2. RE: Build 5600 Ref 5600.3


            I believe this is not the case. As it happens, the server that got trashed had this partition scheme and I'm currently doing a manual decrypt on the partitions, so I'm reasonably confident that SB did do the business.

            Mike
            • 3. RE: Build 5600 Ref 5600.3
              ok, let me rephrase.

              The way EEPC works out what sectors to encrypt, is it asks the OS "what sectors does C: represent, what sectors does D: represent" etc.

              it does not ask about linked folders etc.

              so, if you have partitions outside the boarders of named drive letters, mapped into folder links, EEPC won't touch them.

              you can confirm this by looking at the disk information in SafeTech/WinTech and comparing this to the partition information.

              S.
              • 4. RE: Build 5600 Ref 5600.3
                Is there a legitimate reason you have 7 partitions on these endpoints? I would consider using only real drive letters for each volume and quotas if you are trying to prevent one app or user from filling the system. It seems as if someone created a more complicated setup that what is necessary. If it was done for "security" reasons, don't try too hard... it is a Microsoft product.

                Alternatively, if you need to mount volumes symbolically under another volume, then can't you have it as both a drive letter and symbolic link? (partition 4 is both z: and c:\program files\BigApp).
                • 5. RE: Build 5600 Ref 5600.3
                  Yes, there is a legitimate reason. It gives me a nice uniform drive structure without spurious drive letters hanging around that I neither need nor want.

                  Mike
                  • 6. RE: Build 5600 Ref 5600.3

                    I will check into this but as the OS knows about the partitions, I would expect the info to be [assed to SafeBoot and if the info is not passed to SafeBoot, I wouldn't expect it to report the existence of these partitions never mind their encryption state.

                    But, as I said, I will do some checking with BartPE and SafeTech.

                    Mike
                    • 7. Fiat experimentum!
                      I have just encrypted a test server with partitions mounted in empty folders using Build 5500 and all the partitions were encrypted. Just to check, I booted in BartPE and had a look and all the volumes were unrecognisable. So then I fired up some recovery tools, the sort of thing you use to retrieve files from corrupted file systems and they couldn't make hear nor tail of the partitions. And finally, I fired up SafeTech and had a look at the Disk Information and that indicated that the partitions were encrypted.

                      I think it is reasonable to say that Build 5500 will successfully encrypt stuff, so I go back to my original question - is there a way to make Build 5600 work properly and encrypt all the partitions?

                      Mike
                      • 8. RE: Fiat experimentum!
                        Build 5500 did encrypt these partitions but unfortunately due to a bug rather than by design.

                        Earlier versions did not encrypt these partitions, correctly, and 5600 correctly does not.
                        It needs to be a partition with a drive letter to encrypt basically rather than a folder name.
                        • 9. RE: Fiat experimentum!


                          Why?

                          We know it can be done, so why artificially restrict the functionality and thus the usability of the software? I mean it restricts your possible sales, never mind cheesing off geeks like me.

                          Mike
                          1 2 Previous Next