Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Server Hard Drive Encryption Advice

Posted on 2011-09-06
9
Medium Priority
?
604 Views
Last Modified: 2012-05-12
I'm setting up a server, which will host confidential information at a third party location. For security reasons I would like to have some sort of encryption for the data stored on it (3 external HDs worth of data). The server is running WHS2011. No confidential data is stored on the system drive, only the external HDs.

Could you tell me what the best way would be to encrypt those external drives, so that they would be unusable when plugged up to a different system.

Thanks Guys!
0
Comment
Question by:mpaert
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 26

Accepted Solution

by:
Tony J earned 1000 total points
ID: 36487944
You have a couple of options - WHS 2011 supports bitlocker (but you might want to confirm it can also use Bitlocker to go on external USB storage).

Otherwise, I've extensively used truecrypt (www.truecrypt.org) to do full disk encryption (including OS in the past).

It's free, open source, reliable and quick.
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 252 total points
ID: 36488366
Yes their is many PAID and open source software is up to you to choose want to want , i prefer to do not use open source and freeware to encrypt highly confidential  data .

Open source/free wear software

truecrypt (www.truecrypt.org)
FreeOTFE (http://www.freeotfe.org/)

PAID

Check Point Full Disk Encryption (http://www.checkpoint.com/products/full-disk-encryption/index.html)
Symantec PGP Encryption (http://www.symantec.com/business/whole-disk-encryption)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 500 total points
ID: 36489184
Hi,

There may be regulatory or other restrictions which impose the need for FIPS 140-2 certified solutions - this will ensure that AES encryption is correctly implemented and therefore much more difficult to crack, if at all. The key strength is also dependant on the Crypt API used to generate the key and the entropy used during kek generation.

BitLocker uses FIPS certified libraries and CheckPoint and Symantec have FIPS certified offerings. Since you already have BitLocker, I'd be inclined to use that:

I believe this will help with BitLocker:

http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx

Regards,


RobM.
0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489288
Trucrypt doesn't explicity say anywhere that it is FIPS compliant. But...my understanding of this compliance is that any device loses FIPS compliancy if it is connected to a system not fully compliant to the same standard? Weakest link in the chain, etc.

That said, who would be using Windows Home Server in a FIPS environment??

Truecrypt cannot be centrally managed as yet (no GPO's etc): that might be a more relevant to you.

In my first response, I gave both BitLocker AND Truecrypt as answers as they both fulfill the request on the information given.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 36489379
Hi,

I am not disputing your first post (i.e. recommending BitLocker) and my reference to the FIPS side is that the cryptographic libraries used are FIPS 140-2 certified - in other words the implementation of AES is in accordance with the FIPS standards.

Truecrypt does not have such a certification which is an independant assurance of the cryptography used and as such MAY NOT implement AES as rigourously as products that are.

This is why FIPS 140-2 is recognised throughout the world and certified products are used widely by Governments who want extra re-assurance about their encryption.

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489480
I'm not arguing any of that.

But - the moment it's connected to a WHS2011 server where the system disk(s) are not encrypted via a FIPS-compliant mechanism, the whole stops being FIPS-compliant.

My point here being, that I don't think it's a problem that the OP will encounter and we are perhaps getting off on a tangent and overcomplicating what they had oringally asked for :-)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 500 total points
ID: 36489511
Hi,

No worries - as you originally suggested, BitLocker would be my choice and the guide I referenced shows mpaert how to do it.

As it's integrated into the OS and not a third-party bolt-on, I would suggest it's the best approach and least likely to cause additional challenges moving forward?

Regards,


RobMobility.
0
 
LVL 26

Assisted Solution

by:Tony J
Tony J earned 1000 total points
ID: 36489556
Totally agree - it'll certainly give the most seamless integration. I just mentioned TC as it's a free alternative and not everyone trusts MS to do their encryption (I'm not in that court, by the way) :-)
0
 
LVL 12

Assisted Solution

by:coredatarecovery
coredatarecovery earned 248 total points
ID: 36491617
If you go with truecrypt, use a long password and double encrypt, for extra security.

The extra long password will make it nearly impossible to crack thru brute force.

Also, don't pass up looking at maxtor Black armour drives, they're hardware encrypted but use a keyword and there's less processing power required as the drive encrypts itself on the fly.

0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.
Let's recap what we learned from yesterday's Skyport Systems webinar.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question