Solved

Server Hard Drive Encryption Advice

Posted on 2011-09-06
9
596 Views
Last Modified: 2012-05-12
I'm setting up a server, which will host confidential information at a third party location. For security reasons I would like to have some sort of encryption for the data stored on it (3 external HDs worth of data). The server is running WHS2011. No confidential data is stored on the system drive, only the external HDs.

Could you tell me what the best way would be to encrypt those external drives, so that they would be unusable when plugged up to a different system.

Thanks Guys!
0
Comment
Question by:mpaert
9 Comments
 
LVL 25

Accepted Solution

by:
Tony1044 earned 250 total points
ID: 36487944
You have a couple of options - WHS 2011 supports bitlocker (but you might want to confirm it can also use Bitlocker to go on external USB storage).

Otherwise, I've extensively used truecrypt (www.truecrypt.org) to do full disk encryption (including OS in the past).

It's free, open source, reliable and quick.
0
 
LVL 8

Assisted Solution

by:Amitabh Singh
Amitabh Singh earned 63 total points
ID: 36488366
Yes their is many PAID and open source software is up to you to choose want to want , i prefer to do not use open source and freeware to encrypt highly confidential  data .

Open source/free wear software

truecrypt (www.truecrypt.org)
FreeOTFE (http://www.freeotfe.org/)

PAID

Check Point Full Disk Encryption (http://www.checkpoint.com/products/full-disk-encryption/index.html)
Symantec PGP Encryption (http://www.symantec.com/business/whole-disk-encryption)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 125 total points
ID: 36489184
Hi,

There may be regulatory or other restrictions which impose the need for FIPS 140-2 certified solutions - this will ensure that AES encryption is correctly implemented and therefore much more difficult to crack, if at all. The key strength is also dependant on the Crypt API used to generate the key and the entropy used during kek generation.

BitLocker uses FIPS certified libraries and CheckPoint and Symantec have FIPS certified offerings. Since you already have BitLocker, I'd be inclined to use that:

I believe this will help with BitLocker:

http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx

Regards,


RobM.
0
 
LVL 25

Assisted Solution

by:Tony1044
Tony1044 earned 250 total points
ID: 36489288
Trucrypt doesn't explicity say anywhere that it is FIPS compliant. But...my understanding of this compliance is that any device loses FIPS compliancy if it is connected to a system not fully compliant to the same standard? Weakest link in the chain, etc.

That said, who would be using Windows Home Server in a FIPS environment??

Truecrypt cannot be centrally managed as yet (no GPO's etc): that might be a more relevant to you.

In my first response, I gave both BitLocker AND Truecrypt as answers as they both fulfill the request on the information given.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 25

Expert Comment

by:RobMobility
ID: 36489379
Hi,

I am not disputing your first post (i.e. recommending BitLocker) and my reference to the FIPS side is that the cryptographic libraries used are FIPS 140-2 certified - in other words the implementation of AES is in accordance with the FIPS standards.

Truecrypt does not have such a certification which is an independant assurance of the cryptography used and as such MAY NOT implement AES as rigourously as products that are.

This is why FIPS 140-2 is recognised throughout the world and certified products are used widely by Governments who want extra re-assurance about their encryption.

Regards,


RobMobility.
0
 
LVL 25

Assisted Solution

by:Tony1044
Tony1044 earned 250 total points
ID: 36489480
I'm not arguing any of that.

But - the moment it's connected to a WHS2011 server where the system disk(s) are not encrypted via a FIPS-compliant mechanism, the whole stops being FIPS-compliant.

My point here being, that I don't think it's a problem that the OP will encounter and we are perhaps getting off on a tangent and overcomplicating what they had oringally asked for :-)
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 125 total points
ID: 36489511
Hi,

No worries - as you originally suggested, BitLocker would be my choice and the guide I referenced shows mpaert how to do it.

As it's integrated into the OS and not a third-party bolt-on, I would suggest it's the best approach and least likely to cause additional challenges moving forward?

Regards,


RobMobility.
0
 
LVL 25

Assisted Solution

by:Tony1044
Tony1044 earned 250 total points
ID: 36489556
Totally agree - it'll certainly give the most seamless integration. I just mentioned TC as it's a free alternative and not everyone trusts MS to do their encryption (I'm not in that court, by the way) :-)
0
 
LVL 12

Assisted Solution

by:coredatarecovery
coredatarecovery earned 62 total points
ID: 36491617
If you go with truecrypt, use a long password and double encrypt, for extra security.

The extra long password will make it nearly impossible to crack thru brute force.

Also, don't pass up looking at maxtor Black armour drives, they're hardware encrypted but use a keyword and there's less processing power required as the drive encrypts itself on the fly.

0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now