Solved

data encryption advice in a server environment - Symantec PGP

Posted on 2013-01-02
17
514 Views
Last Modified: 2013-06-07
We have the following requirements for storing data on upto 4 computers and a server for some sensitive data on our netwoork.
.Encryption software must be implemented on all system and devices that
it needs to meet the required FIPS 140-2 standard?
back-up files need to be also encrypted

We are also in process of quoting for a new SBS 2011 server can anyone please advise on the Symantec PGP software licensing it will need and whether it is best to get a second - member server just for the encrypted disk / server drive etc?

Any tips on what we need and how best to achieve what we need. Any other info needed please ask

many thanks
0
Comment
Question by:phoenix81
  • 9
  • 5
  • 2
  • +1
17 Comments
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 500 total points
ID: 38736763
We are currently running Symantec PGP encryption. There may be differing versions available but the main PGP management server runs a Linux OS so you would need a seperate virtual or physical server to host that. We are currently running it inside of VMware for which symantec provides an OVF appliance you can import.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38737806
Hi.

PGP WDE 10 can be licensed on a per device or per user basis. But before this question stands the fact that encrypting a server might endanger its ability to restart unattended. Please consider this: restarts after automatic updates, restarts after power losses and crashes. Planned restarts executed from remote... all those won't be possible any longer if the whole server is encrypted. If only a data drive should be encrypted, there are solutions... unfortunately, PGP WDE 10 is not amongst those.

So please tell us what you think you will do about this.
0
 

Author Comment

by:phoenix81
ID: 38739561
I dont think that they would require a whole server encrypted in that case. So my question would be what is the best Symantec product for encrypting a data drive only with only 4 users access to the data on this drive ? Also would we be able to back up the data drive easily and would we be able to have a hardware raid 1 mirrored encrypted data drive (Im not sure on how hardware mirroring works on an encrypted drive)

thanks again
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38739688
Did you understand my point? When and how should your server mount it's encrypted data? The problem does not only arise if you encyrpt the whole drive but with any sort of encryption. You need someone to enter a password. If you don't want to go that way (entering a pw), you simply cannot use PGP here.
0
 

Author Comment

by:phoenix81
ID: 38739788
our problem is that we need to comply with the following requirements so whatever is needed i suppose. there is only a small amount of data that needs to be encrypted but these are the guidelines we have got to adhere to :( so if the below can only be achieved by having one of our servers encrypted then that is what will be needed. I would guess that if we have 2 servers e.g 1 server as the nornal sbs 2011 server and the member server running 2008 r2 as the encrypted server then this would be an easier way to manage it than having all of the encyrption on the same server as the normal data dont you think?

these are the 3 main points we are going to need to adhere to:
1Encryption software must be implemented on all system and devices that accesses the secure data.
2. Encryptionit needs to meet the required FIPS 140-2 standard?
3, back-up files need to be also encrypted

So I await your response again thanks and I aplogise if I am not being entirely clear :)
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 38739898
Nowhere in the specifications you posted does it say the server needs to be encrypted, only the clients accessing the data and backups of the data itself.

If this is the case then you can use PGP on your clients, or another whole disk encryption software like truecrypt. That would solve part 1 and 2.

Part 3 can be resolved depending on your backup method/product. I know backupexec has the ability to encrypt its backup data but we would need to know more about how you are performing backups.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38740598
phoenix, you still are missing the point. I asked you to clear up how mounting should work, how you would deal with the problems I mentioned. Please do so.
0
 

Author Comment

by:phoenix81
ID: 38740666
Sorry Mcknife when you say mounting do you mean booting up/ starting up the server?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 53

Expert Comment

by:McKnife
ID: 38740838
No. mounting an encrypted media (partition or container) means unlocking its encrypted state (by entering the encryption password or providing a keyfile or token of some kind) and making it thereby accessible to the OS.
Again: if you would like to encrypt a server, you will run into problems. Everytime the server has to restart, you will need to provide that password - how would you do that? Sleep in the server room? :)

What I say is there are indeed solutions to cover that problem, but PGP is not part of those solutions as it does not offer these techniques yet.

With PGP, anytime the server restarts (for whatever reason) you would need to be at hand to enter the password... I hope now you finally got my point.

My question remains: how will you deal with that problem?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38746978
To make progress: again the question: how did you plan to enter or provide the encryption key at the server?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38756323
Hello, anybody home?
You might be interested in Symantec's best practices document: PGP Whole Disk Encryption on Windows Servers ->http://www.symantec.com/business/support/resources/sites/BUSINESS/content/live/TECHNICAL_SOLUTION/149000/TECH149613/en_US/best_practices_pgp_wde_win_server.pdf
Quote:
Booting the Windows Server will require the physical presence of the administrator to supply credentials at PGP BootGuard: When PGP WDE is installed and the disk encrypted, a server operator or administrator with valid credentials will need to authenticate to PGP BootGuard prior to the Windows Server OS starting. It is important that this change in server operation be understood and adopted into your operating procedures. For example, where the server administrator would
remotely connect to a server to perform a reboot or load a driver/service pack that required a reboot, upon reboot the server will require authentication at PGP BootGuard. This means that remote administration procedures need to be modified within your business. PGP WDE provides functionality via the PGP WDE command line called “Boot Bypass”. Further information is provided  in “Remote booting of the Windows Server,” below.  
0
 

Author Comment

by:phoenix81
ID: 38758549
hi guys regarding the server reboot scenario we would just have the office staff have to enter the server password if and when it needed rebooting. This will be less of a problem if the encrypted server was only used for the encypted data hence if it needed rebooting it would only stop the 4 users from accessing the encrypted data where as the seperate main server which would host (no encrypted data) would be able to be rebooted remotely as normal.

So can you please advise what Symantec software you think we will need and hardware  if possible to achieve the following if you know?

- an encrypted folder on a server machine - shared to up to 4 client pcs that will access the data -
- What HP server hardware would you recommend to purely store the encrypted server data and can we install the encypted server as a windows 2008 r2 member server ?

Many thanks again
0
 
LVL 3

Expert Comment

by:MiamiCo
ID: 38845047
Guys i'm not familiar with Symantec PGP so maybe I'm missing something , but isn't there a possibility to encrypt just files and not whole partition? In that case you don't need to solve  "booting scenarios". Data will be stored on server only as encrypted files / directories.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 38848826
If it should be Symantec (could also be Truecrypt), take their PGP WDE 10 software. It's really irrelevant, if or how many clients access the data.
About hardware: take anything you like, the performance hit by encryption is negligible.
And yes, you can install it as 2008 R2 as a member server.
0
 

Author Comment

by:phoenix81
ID: 38953875
my client has stalled on this solution so far so when they eventually make a decision and we purchase the software I shall update here thank you
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39221982
Could you please tell me how you proceeded?
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39229970
Next time you ask something, give feedback, otherwise helpers might feel their efforts are all in vain.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Hyper V host drive space issue 16 130
ABE  on 2012 file shares 2 23
Do we need servers??? 5 120
system state backup 1 6
As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now