Mandr1ch
asked on
Pre-boot drive encryptions options
Hello,
A client of mine who is an accountant was recently notified that she needs to meet certain requirements for one of her providers. One of those is 128-bit NIST pre-boot encryption for all workstations and server drives. Her network is currently comprised of one SBS 2003 server with two primary partitions (system and data) and five workstations ranging from Vista SP2 to Win7 SP1. I have concerns about encrypting the server drives, and figured I'd check here for thoughts and opinions. So far it seems Truecrypt is the popular choice, though I'm open to commercial suggestions.
So my questions:
1. Encrypting Windows Server 2003 drives... Prone to issues? No additional risks so long as backups are running?
2. As mentioned above, I'm looking into Truecrypt because it seems to be such a popular choice. If anyone has a better suggestion, we are open to it. It does not have to be a free solution. Stability is the primary concern.
A client of mine who is an accountant was recently notified that she needs to meet certain requirements for one of her providers. One of those is 128-bit NIST pre-boot encryption for all workstations and server drives. Her network is currently comprised of one SBS 2003 server with two primary partitions (system and data) and five workstations ranging from Vista SP2 to Win7 SP1. I have concerns about encrypting the server drives, and figured I'd check here for thoughts and opinions. So far it seems Truecrypt is the popular choice, though I'm open to commercial suggestions.
So my questions:
1. Encrypting Windows Server 2003 drives... Prone to issues? No additional risks so long as backups are running?
2. As mentioned above, I'm looking into Truecrypt because it seems to be such a popular choice. If anyone has a better suggestion, we are open to it. It does not have to be a free solution. Stability is the primary concern.
If the workstations are Win7 Enterprise and Server 2008 support bitlocker from within the OS - so the best option might just be to upgrade - especially since 2003 support is running out shortly.
Hi.
Yes, tell us what vista/win7 editions you run. For vista/7, only ultimate and enterprise have Bitlocker built-in. This changed with win8 pro which features BL, too.
We have all clients encrypted with PGP WDE 10 sold by Symantec. It is superior to Bitlocker and far superior to truecrypt or other freewares when it comes to manageability and deployment. Read my opinion here: https://www.experts-exchange.com/questions/27634304/Laptop-security-and-encryption.html?anchorAnswerId=37727179#a37727179
About server encryption: please find out what exactly is required. If it is sufficient to only encrypt the data partitions and not the whole OS, we have an entirely different setup to solve, because encrypting the whole server would immediately mean, someone would have to be present to enter the password on startup. Now some folks might intervene "not with Bitlocker and a TPM chip" - correct, but still dangerous and not the required preboot-authentication.
Yes, tell us what vista/win7 editions you run. For vista/7, only ultimate and enterprise have Bitlocker built-in. This changed with win8 pro which features BL, too.
We have all clients encrypted with PGP WDE 10 sold by Symantec. It is superior to Bitlocker and far superior to truecrypt or other freewares when it comes to manageability and deployment. Read my opinion here: https://www.experts-exchange.com/questions/27634304/Laptop-security-and-encryption.html?anchorAnswerId=37727179#a37727179
About server encryption: please find out what exactly is required. If it is sufficient to only encrypt the data partitions and not the whole OS, we have an entirely different setup to solve, because encrypting the whole server would immediately mean, someone would have to be present to enter the password on startup. Now some folks might intervene "not with Bitlocker and a TPM chip" - correct, but still dangerous and not the required preboot-authentication.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
So this was a non-issue? You did not need to encrypt the servers and you did not need to think about alternatives to TC because of the small number of workstations? Then why ask? :)
ASKER
Answered my own questions regarding Truecrypt.
ASKER
@McKnife: When I originally posted this the owner had not provided me with the documentation and insisted it must be done that way. Once they did provided me with the vendor documentation, I saw the option to simply physically secure the server to satisfy their requirements. Anyhow, I appreciate the detailed replies you provided and am sorry I couldn't apply points as a solution.
To me, it seems to have more features than Truecrypt. I haven't used Truecrypt to do a boot drive. Only external drives or files mounted as drives.