Posted on 09-09-2015 04:30 AM
Hi everyone,
I'm quite new to certificates so my understanding of how they fully work is limited, please could I get a sanity check on what I am currently doing.
In my organisation we are on the verge of a laptop encryption pilot. I mentioned to my manager it would be a good idea to do individual and institutional encryption as it gives an added way to recover a drive if for example the user forgot their password and for some reason our database flies away which would result in us losing our personal individual recovery keys.
I followed the JAMF guide which involved creating a keychain and then creating a certificate and private key. I chose not to bundle the public key with the private key for security purposes, and instead only use the public key with the intention of holding the private key on a USB stick in a safe somewhere. This would then be our last ditch approach to unlocking + decrypting a Laptop.
This is all fine but our security guy has now given me some questions which I am struggling to answer exactly why but I have an idea what the answer to the questions are.
1) Can we generate this public/private key on our windows certificate server - I think he is keen to do this because if for whatever reason we needed to revoke the certificate.
My understanding of this is when you enable institutional recovery keys you are simply uploading that certificate to the JSS. When a machine then uses this encryption configuration this public key is deployed locally. The private key that matches this public key can then be used to unlock the drive.
I think he believes that if the public key is revoked from the place its generated from, that some how invalidates the certificate uploaded to our JSS. I don't think it works like that as it seems to be a manual process - I think in that situation the public key would still work when encrypting Laptops.
2) If the certificate expires does this stop any new machines from initiating the encryption process? If it does, does it mean creating a new configuration with an up to date certificate for new machines?
3) And on the flip side of this question, would it have any affect on existing encrypted machines?