Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Server Hard Drive Encryption Advice

Posted on 2011-09-06
9
Medium Priority
?
606 Views
Last Modified: 2012-05-12
I'm setting up a server, which will host confidential information at a third party location. For security reasons I would like to have some sort of encryption for the data stored on it (3 external HDs worth of data). The server is running WHS2011. No confidential data is stored on the system drive, only the external HDs.

Could you tell me what the best way would be to encrypt those external drives, so that they would be unusable when plugged up to a different system.

Thanks Guys!
0
Comment
Question by:mpaert
9 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 1000 total points
ID: 36487944
You have a couple of options - WHS 2011 supports bitlocker (but you might want to confirm it can also use Bitlocker to go on external USB storage).

Otherwise, I've extensively used truecrypt (www.truecrypt.org) to do full disk encryption (including OS in the past).

It's free, open source, reliable and quick.
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 252 total points
ID: 36488366
Yes their is many PAID and open source software is up to you to choose want to want , i prefer to do not use open source and freeware to encrypt highly confidential  data .

Open source/free wear software

truecrypt (www.truecrypt.org)
FreeOTFE (http://www.freeotfe.org/)

PAID

Check Point Full Disk Encryption (http://www.checkpoint.com/products/full-disk-encryption/index.html)
Symantec PGP Encryption (http://www.symantec.com/business/whole-disk-encryption)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 500 total points
ID: 36489184
Hi,

There may be regulatory or other restrictions which impose the need for FIPS 140-2 certified solutions - this will ensure that AES encryption is correctly implemented and therefore much more difficult to crack, if at all. The key strength is also dependant on the Crypt API used to generate the key and the entropy used during kek generation.

BitLocker uses FIPS certified libraries and CheckPoint and Symantec have FIPS certified offerings. Since you already have BitLocker, I'd be inclined to use that:

I believe this will help with BitLocker:

http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx

Regards,


RobM.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489288
Trucrypt doesn't explicity say anywhere that it is FIPS compliant. But...my understanding of this compliance is that any device loses FIPS compliancy if it is connected to a system not fully compliant to the same standard? Weakest link in the chain, etc.

That said, who would be using Windows Home Server in a FIPS environment??

Truecrypt cannot be centrally managed as yet (no GPO's etc): that might be a more relevant to you.

In my first response, I gave both BitLocker AND Truecrypt as answers as they both fulfill the request on the information given.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 36489379
Hi,

I am not disputing your first post (i.e. recommending BitLocker) and my reference to the FIPS side is that the cryptographic libraries used are FIPS 140-2 certified - in other words the implementation of AES is in accordance with the FIPS standards.

Truecrypt does not have such a certification which is an independant assurance of the cryptography used and as such MAY NOT implement AES as rigourously as products that are.

This is why FIPS 140-2 is recognised throughout the world and certified products are used widely by Governments who want extra re-assurance about their encryption.

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489480
I'm not arguing any of that.

But - the moment it's connected to a WHS2011 server where the system disk(s) are not encrypted via a FIPS-compliant mechanism, the whole stops being FIPS-compliant.

My point here being, that I don't think it's a problem that the OP will encounter and we are perhaps getting off on a tangent and overcomplicating what they had oringally asked for :-)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 500 total points
ID: 36489511
Hi,

No worries - as you originally suggested, BitLocker would be my choice and the guide I referenced shows mpaert how to do it.

As it's integrated into the OS and not a third-party bolt-on, I would suggest it's the best approach and least likely to cause additional challenges moving forward?

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489556
Totally agree - it'll certainly give the most seamless integration. I just mentioned TC as it's a free alternative and not everyone trusts MS to do their encryption (I'm not in that court, by the way) :-)
0
 
LVL 12

Assisted Solution

by:coredatarecovery
coredatarecovery earned 248 total points
ID: 36491617
If you go with truecrypt, use a long password and double encrypt, for extra security.

The extra long password will make it nearly impossible to crack thru brute force.

Also, don't pass up looking at maxtor Black armour drives, they're hardware encrypted but use a keyword and there's less processing power required as the drive encrypts itself on the fly.

0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question