mcvay178
asked on
Backup Exec fails with TrueCrypt encrypted system partition.
I have been working on setting up a server with full disk encryption. The server is running Server 2008 R2 and full disk encryption was implemented with TrueCrypt. I am utilizing Backup Exec 2010 for my backup procedures but when attempting to backup the system state of the machine, the backup fails with the error indicating that the VSS provider was unable to create the required snapshot.
Removing the full disk encryption enables Backup Exec to successfully create the backup. My issue is simply that I need both of these capabilities and need to figure out how to get both full disk encryption along with a sustainable backup strategy on the same machine.
I have spent a few hours on tech support with Symantec and they have been unable to solve the problem. I have also investigated utilizing BitLocker which is integrated into Server 2008 but unfortunately, the program indicates that my hard drives are not partitioned correctly to utilize the software, and my system lacks a TPM chip required to use BitLocker.
I am open to any combination of full disk encryption software / backup software. My only requirement is to minimise cost as much as possible.
Removing the full disk encryption enables Backup Exec to successfully create the backup. My issue is simply that I need both of these capabilities and need to figure out how to get both full disk encryption along with a sustainable backup strategy on the same machine.
I have spent a few hours on tech support with Symantec and they have been unable to solve the problem. I have also investigated utilizing BitLocker which is integrated into Server 2008 but unfortunately, the program indicates that my hard drives are not partitioned correctly to utilize the software, and my system lacks a TPM chip required to use BitLocker.
I am open to any combination of full disk encryption software / backup software. My only requirement is to minimise cost as much as possible.
ASKER
Decryption on the 80 gb system partition takes about 20 minutes, encryption takes about 3 hours.. I would be a bit uncomfortable with this solution since 1, we are decrypting out system so it poses a security risk, and 2, assuming TrueCrypt failed to encrypt properly and corrupted the system, our company would be unable to function until the server was completely reformatted and restored.
Can you give us some more color on your requirements? For example:
1. Are your backups stored onsite or offsite? On removable media or on running systems?
2. Is Backup Exec a firm requirement or are you willing to use an alternative backup mechanism?
3. Is full disk encryption a firm requirement, or would an encrypted volume for the data itself be acceptable?
Among other things, I'm trying to make sure we don't have any needless complications in the requirements. For example, if this is a company server that runs 24/7 onsite then encrypting the system volume doesn't seem to add security. Anyone who achieved physical (or virtual) access would find everything unencrypted for the taking. Encryption would only protect you when a) the server was off, or b) the data was elsewhere. Protecting the local server physically is best done, well, physically. Protecting it virtually is a task that must be undertaken regardless of encryption.
1. Are your backups stored onsite or offsite? On removable media or on running systems?
2. Is Backup Exec a firm requirement or are you willing to use an alternative backup mechanism?
3. Is full disk encryption a firm requirement, or would an encrypted volume for the data itself be acceptable?
Among other things, I'm trying to make sure we don't have any needless complications in the requirements. For example, if this is a company server that runs 24/7 onsite then encrypting the system volume doesn't seem to add security. Anyone who achieved physical (or virtual) access would find everything unencrypted for the taking. Encryption would only protect you when a) the server was off, or b) the data was elsewhere. Protecting the local server physically is best done, well, physically. Protecting it virtually is a task that must be undertaken regardless of encryption.
ASKER
An encrypted volume is acceptable but it must be accessible even when the user is not logged in, ie mount at boot. Either this or as long as the thing stays mounted.. its the shared files, medical database and sql server on 2 of our work servers and must be accessible at all times.
Backup Exec is not a firm requirement. It just happens to be the software I have on the system right now. I would just like something automated and as hassle free as possible.. exporting dns entries in regedit isn't my idea of a good friday afternoon.
Backups are stored onsite, with an offsite rotated out biweekly.
The primary concern is that some of our business partners actually had someone break into their business and literally steal the server box out of their office causing a huge HIPAA mess. Encryption of medical information is a mitigating factor in that circumstance since as soon as the machine is unplugged, an on-the-fly encryption system will be safe. (ie truecrypt)
In terms of physical protection, we have similar safeguards as the business mentioned above. Unfortunately, two solid doors and an alarm system all locked tight didn't stop them in that case, so it has become a requirement from management that assuming the server is physically stolen, regardless of the physical security, the data must stay safeguarded. Encryption is the only way I can think of that appropriately mitigates the HIPAA risk.
Hope this clarifies the situation. Post back if you have any other questions.
Backup Exec is not a firm requirement. It just happens to be the software I have on the system right now. I would just like something automated and as hassle free as possible.. exporting dns entries in regedit isn't my idea of a good friday afternoon.
Backups are stored onsite, with an offsite rotated out biweekly.
The primary concern is that some of our business partners actually had someone break into their business and literally steal the server box out of their office causing a huge HIPAA mess. Encryption of medical information is a mitigating factor in that circumstance since as soon as the machine is unplugged, an on-the-fly encryption system will be safe. (ie truecrypt)
In terms of physical protection, we have similar safeguards as the business mentioned above. Unfortunately, two solid doors and an alarm system all locked tight didn't stop them in that case, so it has become a requirement from management that assuming the server is physically stolen, regardless of the physical security, the data must stay safeguarded. Encryption is the only way I can think of that appropriately mitigates the HIPAA risk.
Hope this clarifies the situation. Post back if you have any other questions.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great breakdown. Sorry for the delayed response, I have been under the gun at school and work so I have not had time to post.
I have already unencrypted the system partition of my file server and essentially followed your guidance on the setup and it is functioning properly. I have yet to convert the medical database to this setup because we have been waiting on backups tapes and were changing around responsibilities for backups so it has just been held up a bit.. I will be converting the system this week and will test backups utilizing the scheme you have laid out.
Since the file server is functioning properly, I know this scheme works so thank you for the solution!
I have already unencrypted the system partition of my file server and essentially followed your guidance on the setup and it is functioning properly. I have yet to convert the medical database to this setup because we have been waiting on backups tapes and were changing around responsibilities for backups so it has just been held up a bit.. I will be converting the system this week and will test backups utilizing the scheme you have laid out.
Since the file server is functioning properly, I know this scheme works so thank you for the solution!
if you do go this route i would strongly advise practicing on a dummy machine first!