Encryption vs performance

Similar Messages

• EFS Encryption Decryption Performance

  We are currently testing EFS, on a Windows 2008R2 server (VM), to encrypt/decrypt a Windows share containing mostly TIF files. Performance on encryption is fine unfortunately it takes 10+ seconds to decrypt the TIF files
  (sizes 50KB to 2MB). When decrypting non-TIF files performance is acceptable. Has anyone experienced this issue and found a solution? Also, Is there another Windows native encryption/decryption solution that has better overall performance?

  Hi,
  Based on my research,
  TIFF is a flexible, adaptable file format for handling images and data within a single file, which can be a container holding compressed (lossy)
  JPEG and (lossless)
  PackBits compressed images. The slowness of decrypting the .tif files could be caused by its own feature.
  You can also try to use Bitlocker to seek for better performance, although Bitlocker is used to encrypt volumes.
  More information for you:
  Tagged Image File Format
  http://en.wikipedia.org/wiki/Tagged_Image_File_Format
  BitLocker Drive Encryption
  http://technet.microsoft.com/en-us/library/cc731549(v=WS.10).aspx
  Best Regards,
  Amy

• Encryption the column in oracle 10g

  Hi,
  I have a table containing ~ 45 millions records.
  I have to apply encryption to 37 columns in the table. I tried with one column, that took around 7.5 hrs. to complete.
  I used the below command for encryption:
  ALTER TABLE employee MODIFY (first_name ENCRYPT NO SALT);
  Could you please suggest some alternative way to apply the encryption to this table.
  Thanks in Advance!!
  Regards,
  Ashwani N.

  Hi Ashwani,
  my 1 CPU 1 GB RAM laptop encrypts 1,000,000 credit card numbers in 90 seconds; so your's should done in an hour but not more.
  You can use Online Table Redefinition, but then, with 37 columns encrypted, your performance impact will be significant once you're done.
  I would highly (!!) recommend to upgrade to 11gR2 and use TDE tablespace encryption.
  HTH, Peter

• Cisco 3850 Macsec encryption

  Customer just bought four WS-C3850-T with IPServices. I upgraded them to IOS-XEE 3.3.5 straight away. Working fine except when trying to do manual CTS I don't have the gcm-encrypt option on these switches?
  I have MACSec "configured" on two fiber ports between two switches but it's not actually encrypting anything. Do I need a separate license just for this?
  Literally, if I go into interface mode, do cts manual, and then sap pmk mode I only have the no-encap option?
  These are covered by Smartnet but I need to get associated with the contract to open a case.
  Any thoughts?
  Thanks all.

  OK, this is working as of the 3.7.0 code however with MACSec enabled using "sap pmk <key> mode-list gcm-encrypt" across a 1 gig fiber the performance hit is so great that the link is unusable?
  This is a small shop with less than 10 users behind this 3850. With "no-encap" specified performance is great. Using gcm-encrypt makes even remote admin activity (RDP, VNC) all but impossible.
  This has been tested multiple times with the customer - enable encryption, test performance. disable it, and reboot. Performance is great. Re-enable encryption, performance tanks....
  Thoughts anyone?
  Thanks.

• Powerful swf encryption tools

  Hey guys, I have just developed a flash encryption and analyze tool.
  My product page is here:
  http://www.orandea.com/product
  We provide free trails, so if you have some swf files need to be encrypted, take a look at this. Thank you ~~
  Some awesome features:
  Command line and Gui tools
  We provide both command line and gui tools.
  For large projects, which might be built and released with continous integration tools or scripts, command line tools wil be easily integrated into your existing process, and providing a transparent encryption feature;
  For small projects, which might be only one swf file and built with IDE commands, GUI tools will provide a friendly interface to encrypt and analyze your swf files.
  Multi file obfuscating
  Some large projects consist of several seperate swf files, which reference classes in each other file.
  A lot of swf encryptors will break the references and make the project not work.
  Swfspy™ will automatically resolve the references and avoid renaming such symbols
  Customizable
  Some times, your project is very complicated that our tools cannot encrypt your project properly.
  You can easly configure Swfspy™ to avoid injecting code, renaming some packages, classes or methods.
  We provide command line options, gui options and flash as3 metadata options to flexably control the behaviour of Swfspy™.
  Some analysis features
  We provide both command line tools and gui tools to analyze swf files:
  For command line tools, we provide the "-s" option, which means "interactive shell";
  For gui tools, we provide the analysis panel.

  Ok, it's me again, we have just release the new version 1.6.0 with some new features:
  getDefinitionByName and PushString detection
  Nowadays, more and more application use reflection features to optimize the architecture. Swfspy™ now support automatically detect invocation of the getDefinitionByName as well as the PushString instrument.
  Save and Load Configuration
  We added a save-and-load feature of obfuscating options, that will ease your encryption.
  Performance improvement and bug fixes
  We have made Swfspy™ 500% faster than previous releases, and fixed some bugs.
  as well as a screenshot:
  Enjoy~

• Cannot encrypt microSD card

  I need to have encryption turned on on my phone because of my companies Exchange account policy. I did that without a problem. Now I just got an SD card and I would like to use it but the phone odes not accept it because it needs to be also encrypted. Unfortunately, when I follow the instruction on the phoe, the device restarts but never encrypts the card, getting the same "card needs to be encrypted" message after reboot. Any ideas?

  EX wrote:
  Hi, I have the same need for encryption of my Z2, but i haven't tried so I'm not sure if i can encrypt my SD card. My question is can I later decrypt it without factory reset which would erase all my data and setttings? If there's a possiblity, I would encrypt the phone to use my company exchange ativesync account.
  Could anybody help?
  Hi,
  No you can't remove encryption without performing a factory reset of the phone. The factory reset will result in your not being able to access any data on the SD card if this is also encrypted - you will have to reformat the SD card in this case. This is unlike the Samsung Galaxy series where you can decrypt an encrypted device (not sure about the SD card though!)
  If you are considering encryption please be aware of the issue I posted  a few days ago wrt the Movies application - the phone will hang and need a reboot if you allow the screen to lock for any signifcant period with the Movies app running. Also be aware that the backup function included with PC companion does not work with encryption. You can however copy files using explorer to your PC.
  Finally factory resetting  (necessary to remove encryption) appears to invalidate any movies that you have previously downloaded due to DRM. You will have to download them again. Backing them up using Windows Explorer does not appear to work 

• 10g Physical Standby to be used for Backup through RMAN

  Dear All,
  I have 10g Database Primary and Standby Server which is operating in Maximum Performance Mode. I want to use Standby Database for performing Weekly Full and Daily Incremental Backups through RMAN. Kindly inform me is it possible, if yes how should I configure it. I will also be using Compression and Encryption while performing backups.
  Best Regards,
  Asif

  Yes, that is possible.
  Because the standby databases are in mount mode, they can be accessed through the SYS account .
  I use the following RMAN script for the same purpose. Please note that we have configure the flashback area, so we are not letting RMAN delete the archive files:
  run {
  sql 'alter system archive log current';
  sql 'alter system archive log current';
  allocate channel ch1 type 'sbt_tape' parms 'ENV=(TDPO_OPTFILE=/usr/tivoli/tsm/client/oracle/bin64/tdpo.opt)';
  backup
  incremental level 0
  tag full_bk_db_webshop
  format 'df_%d_t%t_s%s_p%p'
  (database include current controlfile);
  backup archivelog all;
  This script is for a FULL backup ( level 0 ). You could also use the "backup full" command
  You can easily change the level of the Backup for incremental purposes.
  Starting RMAN - if configured correctly - is the same as with an open database
  export ORACLE_SID=<STDBYSID>
  rman target / rcvcat <rman/rman>@<catalogsid>
  the user for, and the catalogsid are merely examples
  Edited by: fjfranken on Mar 24, 2009 4:07 AM

• Airport password doesn't work, how do I change it?

  I locked my airport after using it for ages in an unlocked format.  Now I am not able to get into it for the purpose of reconfirguring it.  The password I used to secure the lock doesn't work.  Is there any way to change a password when you don't know what original password was entered?

  You can temporarily disable wireless encryption by performing a "soft" reset on your AirPort Base Station. Once connected, you can use the AirPort Utility to change the password.

• Autodiscover and Outlook Anywhere return http status 401

  Hi, I'm having issues with Autodiscovery (externally) and Outlook Anywhere for some users on our Exchange 2010 (SP3, RU2) setup. Just for information, we have Exchange servers at two AD sites (same forest / domain) with each site having 2 combined client
  access / hub transport servers and 3 mailbox servers (with 2 stretched DAG's across both sites). Site A is internet facing, but site B isn't.
  Autodiscovery
  Internally, it's working fine (using the Test E-mail AutoConfiguration option within Outlook 2010). But externally (using the Microsoft TestConnectivity site), autodiscovery fails, returning the following:
  Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
  +Additional Details
     Elapsed Time: 1783 ms.
     + Test Steps
   The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL   https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
  for user [email protected].
   The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
    +Additional Details
    An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you    are attempting to log onto an Office 365 service, ensure you are using your
  full User Principal Name (UPN).
    Headers received:
    Content-Type: text/html
    Server: Microsoft-IIS/7.5
    WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.company.com"
  The odd thing is, if I browse to the autodiscover file location (externally), then I'm prompted for credentials. When I enter the same credentials that I input into the Microsoft connectivity analyser, I do actually get the correct https status 600 response.
  Also, within EMS, when I run "Test-OutlookWebServices" on Client Access servers in site B, I see the following results...
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1104
  Type       : Error
  Message    : The certificate for the URL https://ExchServer.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate
  needs
                to have a subject of ExchServer.domain.local, but the subject that was found is webmail.Company.com. Consider correcting service discovery,
               or installing a correct SSL certificate.
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1113
  Type       : Error
  Message    : When contacting https://ExchServer.domain.local:443/autodiscover/autodiscover.xml received the error The remote server returned
  an error:
   (500) Internal Server Error.
  RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  Id         : 1123
  Type       : Error
  Message    : The Autodiscover service couldn't be contacted.
  However - I can't see where Exchange has pulled the "...domain.local" address from for Autodiscovery. Both Get-AutodiscoveryVirtualDirectory and Get-ClientAccessServer both report the correct URLs/URIs with the FQDN of Company.Com (which are on
  the GoDaddy certificate we use both internally and externally).
  Outlook Anywhere
  Whether my issues with Outlook Anywhere are related to Autodiscover, I'm not sure. Users who's mailbox is located at Site A (internet facing) are fine, and Outlook Anywhere works great. But users who's mailbox is at Site B, can't use Outlook Anywhere (Starting
  Outlook in RPCDiag mode shows that it tries to connect, and sometimes establishes a connection for a couple of seconds, then disconnects completely).
  Running "Test-OutlookConnectivity -Protocol:http" on a Client Access server at Site B, passes all but the last scenario (Mailbox::Logon), which throws up the following error:
  RunspaceId                  : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
  ServiceEndpoint             : ExchServer.domain.local
  Id                          : MailboxLogon
  ClientAccessServer          : ExchServer.domain.local.ad.local
  Scenario                    : Mailbox::Logon.
  ScenarioDescription         :
  PerformanceCounterName      : Mailbox: Logon latency
  Result                      : Failure
  Error                       :
  UserName                    : ad.local\extest_a91a4b4076f24
  StartTime                   : 14/01/2014 16:33:27
  Latency                     : -00:00:00.0010000
  EventType                   : Error
  LatencyInMillisecondsString : -1.00
  Identity                    :
  IsValid                     : True
  Testing Outlook Anywhere using Microsoft RCA throws up the error:
  RPC Proxy can't be pinged.
  An HTTP 401 error was received...
  Any help is greatly appreciated. Let me know if I've missed any info!
  Thanks
  Tony

  Hi Guys,
  My first chance today to respond!
  Firstly - thanks for all the information. I really appreciate it.
  Well, the good news is that Outlook Anywhere is now working at Site B. It looks like a combination of disabling Outlook Anywhere at Site B (thanks
  Jon), and then being patient and allowing replication to do its stuff (thanks Rhoderck).
  However RCA is still showing ‘Failed’ with the following error. If it helps to have the full output, please let me know. Just for info, I chose
  the option to test using autodiscovery (rather than manually enter it), which passed fine.
  Attempting to ping RPC proxy webmail.company.com.
  RPC Proxy can't be pinged.
  Additional Details
  An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password.
  If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN). Headers received: Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate,NTLM X-Powered-By: ASP.NET Date: Tue, 21 Jan
  2014 09:55:41 GMT Content-Length: 58
  Elapsed Time: 1063 ms.
  RPCProxy - ValidPorts
  Thanks for the 'SoundTrackOfMyLife' link... that looks to be almost identical to my scenario (with the exception of the Kemp LoadMasters). Following
  through the troubleshooting, my CAS servers at Site A (Internet Facing) are showing the registry key 'ValidPorts' as...
  SiteB-ExchCasSvr01:593;SiteB-ExchCasSvr01:49152-65535
  So - should this be...
  SiteB-ExchMbxSvr01:6001-6002;SiteB-ExchMbxSvr01:6004;SiteB-ExchMbxSvr01.domain.local:6001-6002;SiteB-ExchMbxSvr01.domain.local:6004;
  i.e. I only add ports 6001,6002 and 6004 for mailbox servers only? If so, which sites mailbox servers should I put in here?
  SSL Off Loading
  We've only really implemented SSL Offloading on the advice from Kemp (it's built in to their Exchange 2010 template). Apparently, the advantage
  is the LoadMasters have a dedicated hardware processor for decryption/encryption of SSL traffic, thus taking the load off the Exchange servers. Exactly how much of a load this would normally be for our Exchange servers is unknown. We've followed Kemp's documentation
  on unchecking 'Require SSL' for the IIS directories on Site A, and also configured Outlook Anywhere with SSL Offloading through the EMC. This was required as the Kemp's are not re-encrypting traffic to the CAS servers (which are on the same site / LAN
  segment), and we're not a bank... so don't need encryption between the LoadMasters and the client access servers.
  However, Site B (non internet facing) has 'Require SSL' enabled on IIS directories, since (I guess) traffic is encrypted when performing CAS-CAS
  proxying?
  I am, as ever, open to suggestions on this design... since our original design was to use TMG for reverse proxy. It was only the end-of-life issue
  with TMG, and the fact that we opted for the Kemp LoadMasters (which offered ESP as a replacement to TMG) that swung us down this path.
  ESP and SSO are implements on the LoadMaster at Site A (internet facing), which is (was!) not the problem site.
  Thanks again for your time and assistance guys. We’re almost there!
  Tony

• Improving Acrobat Security ?

  Acrobat provides an easy means for the password protection of PDF documents. The approach is advantageous in that the documents can be read with the freely available Adobe Reader with usage of the appropriate passwords. Unfortunately, as is well known, this protection is easily circumvented.
  My question is this. Is there any way to improve the present Adobe PDF security or does anyone know of a program that will generate an Adobe Reader compatible file after an original PDF file has been encrypted and decrypted by a "third party" program.
  We tried this appraoch with the Dlock version of MPJ, which is a military grade encryption system. A PDF file was encrypted and then decrypted by MPJ. Unfortunately, Adobe Reader could not read the resultant decrypted file.The MPJ encryption/decryption process functions properly with other files.
  Thank you very much for your assistance.

  Hi Dave,
  I did find this on the Adobe Acrobat developer site. The SDK does have encryption capability as follows. I still don't know if this can also be accomplished by using a command line option with acrobat.exe.
  QUOTE
  Encryption is controlled by an encryption dictionary in the PDF file. The Acrobat  core API uses RC4 (a proprietary algorithm provided by RSA Data  Security, Inc.) to encrypt document data, and a standard (proprietary)  method to encrypt, decrypt, and verify user passwords to determine  whether or not a user is authorized to open a document.
  Each stream or string object in a PDF file is individually encrypted. This level of encryption improves performance  because objects can be individually decrypted as needed rather than  decrypting an entire file. All objects, except for the encryption  dictionary (which contains the security handler’s private data), are  encrypted using the RC4 algorithm Adobe licenses from RSA Data Security,  Inc. A plug-in may not substitute another encryption scheme for RC4.
  A plug-in that implements a security handler is responsible for encrypting the values it places into the encryption  dictionary, and it may use any encryption scheme. If the security  handler does not encrypt the values it places into the encryption  dictionary, the values are in plain text.
  The core API provides two Cos layer methods to encrypt and decrypt data using the RC4 algorithm. These methods are CosEncryptData and CosDecryptData. (See the Acrobat and PDF Library API Reference.)
  Security handlers may use these methods to encrypt data they want to put into the PDF file’s encryption dictionary  and decrypt data when it is read from the dictionary. Security handlers  may instead choose to ignore these methods and use their own encryption  algorithms.
  END QUOTE
  Best regards,
  Robbie

• MAX 2011 pre-conference lab

  If you are coming to MAX 2011 in Los Angeles, there is a pre-conference lab we're presenting that you probably don't want to miss.  It is called "Developer Best Practices for LiveCycle Enterprise Suite" (PL1380), with particular emphasis on Forms (design, as well as server-side runtime)
  https://max.adobe.com/schedule/by-session/developer-best-practices-for-the-adobe-livecycle -enterprise-suite/PL1380
  Sunday, Oct 2, 1-5 pm
  Several years of LiveCycle deployment experience distilled into a 4-hr half-day lab by John Brinkman, Jayan Kandathil, Ameeth Palla and Santosh Tatke.

  Hello Bartlomiej,
  About your 2 questions: [ see inline]
  1. Why C2811 is performing worse than C1812?OP> C2811 is supposed to be deployed in single T1/E1 [ 2megs]  environment while a C1811/12 is meant to be deployed in a single xDSL setup [ 4 megs]. That's why you get a better perf.2. Is there any official Cisco reference stating what are the max VPN throughputs of certain platforms/models? (we consider migration to C2900 platform and would like to choose the right model)OP> ISR-G2 CCO numbers can be found here:OP>http://www.cisco.com/en/US/partner/prod/collateral/routers/ps10536/white_paper_c11_595485.pdfOP> Theses results are based on 1500 bytes perf tests
  I had a look at some internal tests this is what I  can share:
  Conditions:
  Single tunnel
  Minimum amount of enabled feature
  IPSECIMIX traffic containing a set of small medium large frames in order to simulate a real traffic pattern
  AES encryption
  Platform
  Performance @ 75% CPU utilization
  C2901
  53Mbps
  C2911
  61Mpbs
  C2921
  72Mpbs
  C2951
  103Mbps
  Performance may change depending on:
  the features that will be enabled.
  The traffic pattern [ Encryption is done in 1 cycle. Even though the PPS would be more or less the same, the router throughput will be way bigger with 1400 bytes frames than with 64 byte frames]
  I hope this answer your questions.
  Olivier
  CCIE#20306

• Updating to mavericks

  hey everybody I've been trying to install os x mavericks on my mac book pro (10.6.8) since it was on app store and the download wont complete every time a message appears "download cannot be completed check your internet connectivity",but  there is nothing wrong with the internet connection so I click on download again and again and the bar that shows the progress appears without time or how much has been downloaded and again it sops and the message appear
  help please.

  First check if you are ready for 10.7 or later:
  https://discussions.apple.com/docs/DOC-6271
  And make sure your data is backed up:
  https://discussions.apple.com/docs/DOC-1992
  If you are ready, and it still doesn't work, perhaps one of the tips here will here:
  https://discussions.apple.com/docs/DOC-6131
  Satellite internet conncetions are typically unreliable, and so are dialup.  If you have either, find a good WiFi hot spot that is secure with WPA2 encryption to perform the download, or a place with a direct ethernet connection to the modem.

• Adding keys to EFS files - "The revocation function unable to check revocation"

  I am having an issue on some, not all, computers while attempting to add user keys to encrypted files using the GUI tools (File Properties-->Advanced-->Details). Encrypting the file itself works fine. When I attempt to add users to an encrypted
  file, I am getting the error:
  "The revocation function was unable to check revocation because the revocation server was offline."
  However, I am not having any issues from those same computers when I add users to the encryption using the command line tool cipher.exe (/ADDUSER /USER options).
  The issue is not occurring with a particular Windows version. The working and non-working users/computers are on the same network, with no restrictions to the revocation locations (LDAP and HTTP). From one of the non-functioning computers, I verified
  that I can access the CRL using the HTTP CDP. I do not know a way to test/verify access to the LDAP CDP. I understand that the action of adding users to an encrypted document performs a CRL check. I am at a lost as to why it is failing when I attempt
  to do this through the GUI from only certain computers. This has just started to happen. Any ideas are appreciate. If anyone even knows exactly how the encryption process checks CRL or if there is a log I can look at, that would be of great
  help.

  The certutil command has been helpful, but I have no idea what the problem is. So I run certutil against a user certificate that I want to add to an encrypted file and here is what I get. It is showing that the AIA revocation check failed. I have no idea
  why that would be. I ran a packet capture as I ran this command and can see that it appears to connect to the web server hosting the CRL of the AIA. To give you some background, I have an offline root certificate authority, with its certificate and CRL published
  on our corporate internet website. Then I have an internal online Enterprise subordinate CA, signed by the root CA, that is issuing our user certificates. The subordinate's AIA and CDP for its root CA are on that corporate internet web site. the
  CDP and AIA for the user certificates are stored on the internal subordinate CA web server as well as Active Directory. Checks on those CRL locations looks to be completely fine. It appears to be failing on just the subordinate CA's CDP and AIA. However, near
  the bottom of the certutil output, you can see it does a check on those CDP and AIA locations, and it appears to succeed just fine. Again, the packet capture I ran looks to indicate everything is fine as well. I can see HTTP 200 responses with what appears
  to include the CRL contents.
   I attempted to strip all identifying information out of this, so excuse me if something looks odd.
  C:\>certutil -verify -urlfetch jdoe.cer
  Issuer:
  CN=My Company Subordinate CA
  DC=company
  DC=com
  Subject:
  CN=Doe, John
  OU=Users
  DC=company
  DC=com
  Cert Serial Number: 674dfc4d000100000494
  dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
  dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
  ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
  HCCE_LOCAL_MACHINE
  CERT_CHAIN_POLICY_BASE
  -------- CERT_CHAIN_CONTEXT --------
  ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ChainContext.dwRevocationFreshnessTime: 79 Days, 24 Minutes, 47 Seconds
  SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  SimpleChain.dwRevocationFreshnessTime: 79 Days, 24 Minutes, 47 Seconds
  CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=My Company Subordinate CA, DC=company, DC=com
  NotBefore: 3/12/2014 1:48 PM
  NotAfter: 1/4/2016 3:25 PM
  Subject: CN="Doe, John", OU=Users, DC=company, DC=com
  Serial: 674dfc4d000100000494
  SubjectAltName: Other Name:Principal [email protected]
  Template: EFS v2
  3a ed ec e1 6f bc 25 8c 94 6c de 17 ef e3 1b 5b a3 c3 55 81
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  Revocation Check Failed "Certificate (0)" Time: 0
  [0.0] ldap:///CN=My%20Company%20Subordinate%20CA,CN=AIA,CN=Public%20Key%20Services,CN
  =Services,CN=Configuration,DC=company,DC=com?cACertificate?base?objectClass=certificationAuthority
  Wrong Issuer "Certificate (1)" Time: 0
  [0.1] ldap:///CN=My%20Company%20Subordinate%20CA,CN=AIA,CN=Public%20Key%20Services,CN
  =Services,CN=Configuration,DC=company,DC=com?cACertificate?base?objectClass=certificationAuthority
  Revocation Check Failed "Certificate (0)" Time: 0
  [1.0] http://CAServer/CertEnroll/CAServer.company.com_My%20Company%20Subordinate%20CA(1).crt
  ---------------- Certificate CDP ----------------
  Verified "Base CRL (0ad9)" Time: 0
  [0.0] http://CAServer/CertEnroll/CAServer.company.com_My%20Company%20Subordinate%20CA(1).crl
  Verified "Delta CRL (0ad9)" Time: 0
  [0.0.0] ldap:///CN=My%20Company%20Subordinate%20CA(1),CN=CAServer,CN=CDP,CN=Public%20K
  ey%20Services,CN=Services,CN=Configuration,DC=company,DC=com?deltaRevocationList?base?objectClass=cRLDistr
  ibutionPoint
  Verified "Delta CRL (0ad9)" Time: 0
  [0.0.1] http://CAServer/CertEnroll/My%20Company%20Subordinate%20CA(1)+.crl
  Verified "Base CRL (0ad9)" Time: 0
  [1.0] ldap:///CN=My%20Company%20Subordinate%20CA(1),CN=CAServer,CN=CDP,CN=Public%20Key
  %20Services,CN=Services,CN=Configuration,DC=company,DC=com?certificateRevocationList?base?objectClass=cRLD
  istributionPoint
  Verified "Delta CRL (0ad9)" Time: 0
  [1.0.0] ldap:///CN=My%20Company%20Subordinate%20CA(1),CN=CAServer,CN=CDP,CN=Public%20K
  ey%20Services,CN=Services,CN=Configuration,DC=company,DC=com?deltaRevocationList?base?objectClass=cRLDistr
  ibutionPoint
  Verified "Delta CRL (0ad9)" Time: 0
  [1.0.1] http://CAServer/CertEnroll/My%20Company%20Subordinate%20CA(1)+.crl
  ---------------- Base CRL CDP ----------------
  OK "Delta CRL (0add)" Time: 0
  [0.0] ldap:///CN=My%20Company%20Subordinate%20CA(1),CN=CAServer,CN=CDP,CN=Public%20Key
  %20Services,CN=Services,CN=Configuration,DC=company,DC=com?deltaRevocationList?base?objectClass=cRLDistrib
  utionPoint
  OK "Delta CRL (0add)" Time: 0
  [1.0] http://CAServer/CertEnroll/My%20Company%20Subordinate%20CA(1)+.crl
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 0ad9:
  Issuer: CN=My Company Subordinate CA, DC=company, DC=com
  99 d2 59 16 2c 8c 60 92 8d b6 56 41 a0 59 2c 12 1d 3f 31 07
  Delta CRL 0add:
  Issuer: CN=My Company Subordinate CA, DC=company, DC=com
  95 47 eb 15 2b 38 9b 22 ad 4c 8b a2 41 82 df 64 65 dc a0 de
  Application[0] = 1.3.6.1.4.1.311.10.3.4 Encrypting File System
  CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040
  Issuer: CN=My Company Root CA, DC=?????, DC=com
  NotBefore: 1/4/2011 3:15 PM
  NotAfter: 1/4/2016 3:25 PM
  Subject: CN=My Company Subordinate CA, DC=company, DC=com
  Serial: 46a8dd8f000000000003
  Template: SubCA
  3a 1f 61 ba 6d c7 6e cd d3 1e c0 46 8e 88 77 32 b7 68 13 34
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ---------------- Certificate AIA ----------------
  Verified "Certificate (0)" Time: 0
  [0.0] http://www.?????.com/cert/root.crt
  ---------------- Certificate CDP ----------------
  Expired "Base CRL (0104)" Time: 0
  [0.0] http://www.?????.com/cert/root.crl
  ---------------- Base CRL CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  CRL 0104:
  Issuer: CN=My Company Root CA, DC=?????, DC=com
  cf 4f 8c 73 00 ac 79 92 e6 35 40 c3 bb 0a be 85 18 e8 95 6e
  CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=My Company Root CA, DC=?????, DC=com
  NotBefore: 1/18/2007 1:48 PM
  NotAfter: 1/18/2022 1:49 PM
  Subject: CN=My Company Root CA, DC=?????, DC=com
  Serial: 10e926b3155629934dd5de4dba49eb85
  86 d1 d6 6f 46 41 1a 72 3e ac 23 24 7c e8 77 77 f8 89 6b 96
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ---------------- Certificate AIA ----------------
  No URLs "None" Time: 0
  ---------------- Certificate CDP ----------------
  No URLs "None" Time: 0
  ---------------- Certificate OCSP ----------------
  No URLs "None" Time: 0
  Exclude leaf cert:
  35 8d 46 36 ad 74 0a f0 28 6e 20 cf 15 8d 49 6c ed a3 31 8f
  Full chain:
  9b 5d 1d d2 43 a5 e0 97 2a c4 60 be 39 3c 5c 44 c1 d0 fd fb
  Issuer: CN=My Company Subordinate CA, DC=company, DC=com
  NotBefore: 3/12/2014 1:48 PM
  NotAfter: 1/4/2016 3:25 PM
  Subject: CN="Doe, John", OU=Users, DC=company, DC=com
  Serial: 674dfc4d000100000494
  SubjectAltName: Other Name:Principal [email protected]
  Template: EFS v2
  3a ed ec e1 6f bc 25 8c 94 6c de 17 ef e3 1b 5b a3 c3 55 81
  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (
  -2146885613)
  Revocation check skipped -- server offline
  Leaf certificate revocation check passed
  CertUtil: -verify command completed successfully.

• Slow Performance Weeks after Encryption

  I encrypted my organization's laptops several weeks ago and did not return them to users until after I could tell by device performance that the bulk encrypting task had completed. I have two users that are experiencing extremely slow performance on their systems. When the users are typing anything like a Word document, upon each keystroke they see the Windows 7 "circle" icon at the mouse cursor. This seems to come and go several times over the week, and every few days we are getting a request to resolve the issue but after restarting the behavior may not act up anymore.
  I found a TID suggesting to change HKLM\SOFTWARE\Novell-FDE\Parameters\ThrottleEncryption to a lower level like Idle or BelowNormal. Is there anything else that I should also try? Thanks!

  Yes, but nothing from Novell yet - I will keep pushing them forward and let you know if I get some results.
  -j-
  >>> Jim Koerner<[email protected]> 8.3.2013 15:29 >>>
  Sounds like you have a SR going on this also. Have you heard anything on a
  fix? Mine has been stagnant for a while and I just bumped it to see if
  anything has been figured out or if more info is needed from my side. Hope
  to here something soon. This is a pretty severe problem especially when it
  happens multiple times to a machine.
  Jim Koerner
  Server - ZCM 11.2.2 MU1 and Internal Database on Win2008R2x64
  Client - ZCM 11.2.2 MU1 on Win7SP1x64 and WinXPx32
  "Jouko Oksanen" <Jouko.Oksanen_re@move_efore.fi> wrote in message
  news:513713E9.13C8.00F6.0@move_efore.fi...
  Hi,
  We have had (maybe) similar issues with our FDE setup that FDE policy
  assigned devices tend to loose the policy and start to do disk decryption
  and suddenly get once again the policy back and start to encrypt again. This
  could be found from "ZCM agent, Full disk encryption, about, Agents status,
  Settings, on section "Emergency Recovery Information" you could see events
  'Zone Changed' what according to Novell support meant that the policy was
  "re-initialized / changed" even our policy counter have not changed = policy
  got lost in some phase.
  We are now suspecting that there is some issues with the policy service that
  plays tricks on us.
  -j-
  >>> Jim Koerner<[email protected]> 20.2.2013 19:57
  >>> >>>
  In ZCC on the devices that you are having issues with look at the Emergency
  Recovery tab and see if you have multiple listings in here that corresponds
  to the slowness. If so your devices are decrypting and then re-encrypting.
  Your mention of being asked to reboot leads me to believe that is what is
  happening to you.
  I have had a few SRs going on this one for a while and it got bumped to
  backend but no info in a month or so.
  Jim Koerner
  Server - ZCM 11.2.2 MU1 and Internal Database on Win2008R2x64
  Client - ZCM 11.2.2 MU1 on Win7SP1x64 and WinXPx32
  "marklar23" wrote in message
  news:[email protected]...
  I encrypted my organization's laptops several weeks ago and did not
  return them to users until after I could tell by device performance that
  the bulk encrypting task had completed. I have two users that are
  experiencing extremely slow performance on their systems. When the
  users are typing anything like a Word document, upon each keystroke they
  see the Windows 7 "circle" icon at the mouse cursor. This seems to come
  and go several times over the week, and every few days we are getting a
  request to resolve the issue but after restarting the behavior may not
  act up anymore.
  I found a TID suggesting to change
  HKLM\SOFTWARE\Novell-FDE\Parameters\ThrottleEncryption to a lower level
  like Idle or BelowNormal. Is there anything else that I should also
  try? Thanks!
  marklar23
  marklar23's Profile: http://forums.novell.com/member.php?userid=5123
  View this thread: http://forums.novell.com/showthread.php?t=464262

• Can Time Machine perform encrypted backups for more than one computer to the same external drive?

  I have two MBPs.  The older MBP, with 1TB of storage, now contains two other MBP clones, for a total of 3 user machines on 1 MBP).  I'd like to back up both my newest MBP, and the older MBP with the 2 clones, to my new 5TB drive (via wi-fi).  I want to encrypt these backups, but am unclear whether it is possible.  Does TM first encrypt the drive itself, or is each back up separately encrypted?  I understand that if I wanted to encrypt an existing Time Matters backup on a drive, the prior data would be erased and reformatted, but here I am working with a new backup drive, on which one encrypted backup has been performed.
  I just don't want to overwrite this existing backup (which was for my newest MBP).
  Thanks for whatever help anyone can provide.

  You should have prepared the drive better..
  The drive should have been partitioned. It is possible to load the backups.. but you can get into trouble.
  See http://pondini.org/TM/4.html
  Since partitioning at this point would destroy the existing backup.. the best way is to setup a disk image for each of the other Macbook backups and then mount the disk image and use that for the TM backup..
  Encrypting the drive or the backup.. that is something I avoid.. backups to me are useless if I forget or lose the key.. apple have warned lose the key.. the backup is useless..
  But check pondini FAQ .. you might be able to encrypt a drive image.. or the backup.
  http://pondini.org/TM/FAQ.html
  See Q25 and 31.