Link to home
Start Free TrialLog in
Avatar of phoenix81
phoenix81Flag for United Kingdom of Great Britain and Northern Ireland

asked on

data encryption advice in a server environment - Symantec PGP

We have the following requirements for storing data on upto 4 computers and a server for some sensitive data on our netwoork.
.Encryption software must be implemented on all system and devices that
it needs to meet the required FIPS 140-2 standard?
back-up files need to be also encrypted

We are also in process of quoting for a new SBS 2011 server can anyone please advise on the Symantec PGP software licensing it will need and whether it is best to get a second - member server just for the encrypted disk / server drive etc?

Any tips on what we need and how best to achieve what we need. Any other info needed please ask

many thanks
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial

PGP WDE 10 can be licensed on a per device or per user basis. But before this question stands the fact that encrypting a server might endanger its ability to restart unattended. Please consider this: restarts after automatic updates, restarts after power losses and crashes. Planned restarts executed from remote... all those won't be possible any longer if the whole server is encrypted. If only a data drive should be encrypted, there are solutions... unfortunately, PGP WDE 10 is not amongst those.

So please tell us what you think you will do about this.
Avatar of phoenix81


I dont think that they would require a whole server encrypted in that case. So my question would be what is the best Symantec product for encrypting a data drive only with only 4 users access to the data on this drive ? Also would we be able to back up the data drive easily and would we be able to have a hardware raid 1 mirrored encrypted data drive (Im not sure on how hardware mirroring works on an encrypted drive)

thanks again
Did you understand my point? When and how should your server mount it's encrypted data? The problem does not only arise if you encyrpt the whole drive but with any sort of encryption. You need someone to enter a password. If you don't want to go that way (entering a pw), you simply cannot use PGP here.
our problem is that we need to comply with the following requirements so whatever is needed i suppose. there is only a small amount of data that needs to be encrypted but these are the guidelines we have got to adhere to :( so if the below can only be achieved by having one of our servers encrypted then that is what will be needed. I would guess that if we have 2 servers e.g 1 server as the nornal sbs 2011 server and the member server running 2008 r2 as the encrypted server then this would be an easier way to manage it than having all of the encyrption on the same server as the normal data dont you think?

these are the 3 main points we are going to need to adhere to:
1Encryption software must be implemented on all system and devices that accesses the secure data.
2. Encryptionit needs to meet the required FIPS 140-2 standard?
3, back-up files need to be also encrypted

So I await your response again thanks and I aplogise if I am not being entirely clear :)
Nowhere in the specifications you posted does it say the server needs to be encrypted, only the clients accessing the data and backups of the data itself.

If this is the case then you can use PGP on your clients, or another whole disk encryption software like truecrypt. That would solve part 1 and 2.

Part 3 can be resolved depending on your backup method/product. I know backupexec has the ability to encrypt its backup data but we would need to know more about how you are performing backups.
phoenix, you still are missing the point. I asked you to clear up how mounting should work, how you would deal with the problems I mentioned. Please do so.
Sorry Mcknife when you say mounting do you mean booting up/ starting up the server?
No. mounting an encrypted media (partition or container) means unlocking its encrypted state (by entering the encryption password or providing a keyfile or token of some kind) and making it thereby accessible to the OS.
Again: if you would like to encrypt a server, you will run into problems. Everytime the server has to restart, you will need to provide that password - how would you do that? Sleep in the server room? :)

What I say is there are indeed solutions to cover that problem, but PGP is not part of those solutions as it does not offer these techniques yet.

With PGP, anytime the server restarts (for whatever reason) you would need to be at hand to enter the password... I hope now you finally got my point.

My question remains: how will you deal with that problem?
To make progress: again the question: how did you plan to enter or provide the encryption key at the server?
Hello, anybody home?
You might be interested in Symantec's best practices document: PGP Whole Disk Encryption on Windows Servers ->
Booting the Windows Server will require the physical presence of the administrator to supply credentials at PGP BootGuard: When PGP WDE is installed and the disk encrypted, a server operator or administrator with valid credentials will need to authenticate to PGP BootGuard prior to the Windows Server OS starting. It is important that this change in server operation be understood and adopted into your operating procedures. For example, where the server administrator would
remotely connect to a server to perform a reboot or load a driver/service pack that required a reboot, upon reboot the server will require authentication at PGP BootGuard. This means that remote administration procedures need to be modified within your business. PGP WDE provides functionality via the PGP WDE command line called “Boot Bypass”. Further information is provided  in “Remote booting of the Windows Server,” below.  
hi guys regarding the server reboot scenario we would just have the office staff have to enter the server password if and when it needed rebooting. This will be less of a problem if the encrypted server was only used for the encypted data hence if it needed rebooting it would only stop the 4 users from accessing the encrypted data where as the seperate main server which would host (no encrypted data) would be able to be rebooted remotely as normal.

So can you please advise what Symantec software you think we will need and hardware  if possible to achieve the following if you know?

- an encrypted folder on a server machine - shared to up to 4 client pcs that will access the data -
- What HP server hardware would you recommend to purely store the encrypted server data and can we install the encypted server as a windows 2008 r2 member server ?

Many thanks again
Avatar of Member_2_3586344

Guys i'm not familiar with Symantec PGP so maybe I'm missing something , but isn't there a possibility to encrypt just files and not whole partition? In that case you don't need to solve  "booting scenarios". Data will be stored on server only as encrypted files / directories.
If it should be Symantec (could also be Truecrypt), take their PGP WDE 10 software. It's really irrelevant, if or how many clients access the data.
About hardware: take anything you like, the performance hit by encryption is negligible.
And yes, you can install it as 2008 R2 as a member server.
my client has stalled on this solution so far so when they eventually make a decision and we purchase the software I shall update here thank you
Could you please tell me how you proceeded?
Next time you ask something, give feedback, otherwise helpers might feel their efforts are all in vain.