[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Server Hard Drive Encryption Advice

Posted on 2011-09-06
9
Medium Priority
?
608 Views
Last Modified: 2012-05-12
I'm setting up a server, which will host confidential information at a third party location. For security reasons I would like to have some sort of encryption for the data stored on it (3 external HDs worth of data). The server is running WHS2011. No confidential data is stored on the system drive, only the external HDs.

Could you tell me what the best way would be to encrypt those external drives, so that they would be unusable when plugged up to a different system.

Thanks Guys!
0
Comment
Question by:mpaert
9 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 1000 total points
ID: 36487944
You have a couple of options - WHS 2011 supports bitlocker (but you might want to confirm it can also use Bitlocker to go on external USB storage).

Otherwise, I've extensively used truecrypt (www.truecrypt.org) to do full disk encryption (including OS in the past).

It's free, open source, reliable and quick.
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 252 total points
ID: 36488366
Yes their is many PAID and open source software is up to you to choose want to want , i prefer to do not use open source and freeware to encrypt highly confidential  data .

Open source/free wear software

truecrypt (www.truecrypt.org)
FreeOTFE (http://www.freeotfe.org/)

PAID

Check Point Full Disk Encryption (http://www.checkpoint.com/products/full-disk-encryption/index.html)
Symantec PGP Encryption (http://www.symantec.com/business/whole-disk-encryption)
0
 
LVL 26

Assisted Solution

by:Rob Knight
Rob Knight earned 500 total points
ID: 36489184
Hi,

There may be regulatory or other restrictions which impose the need for FIPS 140-2 certified solutions - this will ensure that AES encryption is correctly implemented and therefore much more difficult to crack, if at all. The key strength is also dependant on the Crypt API used to generate the key and the entropy used during kek generation.

BitLocker uses FIPS certified libraries and CheckPoint and Symantec have FIPS certified offerings. Since you already have BitLocker, I'd be inclined to use that:

I believe this will help with BitLocker:

http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx

Regards,


RobM.
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489288
Trucrypt doesn't explicity say anywhere that it is FIPS compliant. But...my understanding of this compliance is that any device loses FIPS compliancy if it is connected to a system not fully compliant to the same standard? Weakest link in the chain, etc.

That said, who would be using Windows Home Server in a FIPS environment??

Truecrypt cannot be centrally managed as yet (no GPO's etc): that might be a more relevant to you.

In my first response, I gave both BitLocker AND Truecrypt as answers as they both fulfill the request on the information given.
0
 
LVL 26

Expert Comment

by:Rob Knight
ID: 36489379
Hi,

I am not disputing your first post (i.e. recommending BitLocker) and my reference to the FIPS side is that the cryptographic libraries used are FIPS 140-2 certified - in other words the implementation of AES is in accordance with the FIPS standards.

Truecrypt does not have such a certification which is an independant assurance of the cryptography used and as such MAY NOT implement AES as rigourously as products that are.

This is why FIPS 140-2 is recognised throughout the world and certified products are used widely by Governments who want extra re-assurance about their encryption.

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489480
I'm not arguing any of that.

But - the moment it's connected to a WHS2011 server where the system disk(s) are not encrypted via a FIPS-compliant mechanism, the whole stops being FIPS-compliant.

My point here being, that I don't think it's a problem that the OP will encounter and we are perhaps getting off on a tangent and overcomplicating what they had oringally asked for :-)
0
 
LVL 26

Assisted Solution

by:Rob Knight
Rob Knight earned 500 total points
ID: 36489511
Hi,

No worries - as you originally suggested, BitLocker would be my choice and the guide I referenced shows mpaert how to do it.

As it's integrated into the OS and not a third-party bolt-on, I would suggest it's the best approach and least likely to cause additional challenges moving forward?

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489556
Totally agree - it'll certainly give the most seamless integration. I just mentioned TC as it's a free alternative and not everyone trusts MS to do their encryption (I'm not in that court, by the way) :-)
0
 
LVL 12

Assisted Solution

by:coredatarecovery
coredatarecovery earned 248 total points
ID: 36491617
If you go with truecrypt, use a long password and double encrypt, for extra security.

The extra long password will make it nearly impossible to crack thru brute force.

Also, don't pass up looking at maxtor Black armour drives, they're hardware encrypted but use a keyword and there's less processing power required as the drive encrypts itself on the fly.

0

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It's not just another paperwork submission. Serious planning and rigour to managing the whole thought processes need to be put in place. The intent is not on drilling into the details, but to share tips in getting the first thing right to kick-start…
ITIL has an elaborate incident management framework. This article serves as a starter for those who'd like to know more or need to suss out the baseline elements in a typical incident response execution plan on the "need to have" and the "good to ha…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Suggested Courses

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question