Data Encryption

I am currently looking for an encryption Solution for our Windows server environment at a share level. My environment is compiled of Server 2003 and 2008; we are look to apply encryption to data at rest. Our picture of data at rest would consist of encrypting our file shares that target data is sitting on also data that is being store on backup tapes, currently I am using Symantec Backup Exec for my backups and I am using the encryption tool that encrypts the data store on tape but I need a stable solution for my file shares, In the past I have had some experience with the encrypted files getting corrupt and not being able to retain the data, from my understanding Windows does offer encryption and I am aware of third party software encryption but I am looking for the safest way for least disaster, any recommendations?


Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Brian PiercePhotographerCommented:
EFS - built into Windows is effective and free
Windows Bitlocker allows for encryption of the harddrive, so that the data is protected in case the server is lost / stolen / ... Nevertheless when accessing the data once the server is running the data is decrypted on the fly so that the users / application don't notice they're encrypted on the harddisk. So backup-tools will see unencrypted files.
Regarding EFS the same happens by default, so you must go extra steps to make sure your files are encrypted in the backup but still can be restored. Please check for a first start regarding the issues involved.
ahmad1467Author Commented:

I was trying to use EFS on one of my shares on my Windows 2003 server:
I created a share went to properties > Advance> Then select >Encrypt contents to secure data> select apply> apply changes to this folder, subfolders and files. But once I hit ok I get this message.
{An error occurred applying attributes to the file:
Recovery policy configured for this system contains invalid recovery certificate}

The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

By default the Domain-Administrator's account is the recovery agent. In order to be able to recover encrypted data make sure the recovery agent has a valid certificate which is safely backed up.
Please see here for more information:
ahmad1467Author Commented:
I followed these steps: in the link but it looks like somthing is missing.

1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
2.Right click on the domain and select Properties
3.Select 'Group Policy' tab
4.Select the 'Default Domain Policy' and click Edit
5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\ \Encrypted Data Recovery Agents

But I don’t see {Encrypted Data Recovery Agents} all I see is Encrypting File System

Try right-clicking on "Encrypting File System". This gives you the option to add recovery agents. In fact this allows you to add Recovery Agent-Certificates to the GPO so that all EFS-files are encrypted such that they can be decrypted by this user.
You are getting the error because the GPO (default domain Policy) contains an expired Data Recovery Agent (DRA) certificate. You can see it in the right panel once you click on 'Encrypting File System'.

Back this certificate up and then delete and get a new DRA by right clicking on Encrypting File System' and 'Create Data Recovery Agent' and it will create a new DRA Certificate (self - signed) if you don't have an Enterprise CA available or the EFS Recovery Template is not available or user doesn't have permission to enroll from this template.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.