Data Encryption

I am currently looking for an encryption Solution for our Windows server environment at a share level. My environment is compiled of Server 2003 and 2008; we are look to apply encryption to data at rest. Our picture of data at rest would consist of encrypting our file shares that target data is sitting on also data that is being store on backup tapes, currently I am using Symantec Backup Exec for my backups and I am using the encryption tool that encrypts the data store on tape but I need a stable solution for my file shares, In the past I have had some experience with the encrypted files getting corrupt and not being able to retain the data, from my understanding Windows does offer encryption and I am aware of third party software encryption but I am looking for the safest way for least disaster, any recommendations?


Who is Participating?
You are getting the error because the GPO (default domain Policy) contains an expired Data Recovery Agent (DRA) certificate. You can see it in the right panel once you click on 'Encrypting File System'.

Back this certificate up and then delete and get a new DRA by right clicking on Encrypting File System' and 'Create Data Recovery Agent' and it will create a new DRA Certificate (self - signed) if you don't have an Enterprise CA available or the EFS Recovery Template is not available or user doesn't have permission to enroll from this template.
Brian PiercePhotographerCommented:
EFS - built into Windows is effective and free
Windows Bitlocker allows for encryption of the harddrive, so that the data is protected in case the server is lost / stolen / ... Nevertheless when accessing the data once the server is running the data is decrypted on the fly so that the users / application don't notice they're encrypted on the harddisk. So backup-tools will see unencrypted files.
Regarding EFS the same happens by default, so you must go extra steps to make sure your files are encrypted in the backup but still can be restored. Please check for a first start regarding the issues involved.
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

ahmad1467Author Commented:

I was trying to use EFS on one of my shares on my Windows 2003 server:
I created a share went to properties > Advance> Then select >Encrypt contents to secure data> select apply> apply changes to this folder, subfolders and files. But once I hit ok I get this message.
{An error occurred applying attributes to the file:
Recovery policy configured for this system contains invalid recovery certificate}

By default the Domain-Administrator's account is the recovery agent. In order to be able to recover encrypted data make sure the recovery agent has a valid certificate which is safely backed up.
Please see here for more information:
ahmad1467Author Commented:
I followed these steps: in the link but it looks like somthing is missing.

1.Start the Active Directory Users and Computers (Start - Programs - Administrative Programs - Active Directory Users and Computers)
2.Right click on the domain and select Properties
3.Select 'Group Policy' tab
4.Select the 'Default Domain Policy' and click Edit
5.Expand Computer Configuration\Windows Settings\Security Settings\Public Key Policies\ \Encrypted Data Recovery Agents

But I don’t see {Encrypted Data Recovery Agents} all I see is Encrypting File System

Try right-clicking on "Encrypting File System". This gives you the option to add recovery agents. In fact this allows you to add Recovery Agent-Certificates to the GPO so that all EFS-files are encrypted such that they can be decrypted by this user.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.