Solved

What are PGP File Share best practices for only the data on the server

Posted on 2013-05-27
13
549 Views
Last Modified: 2013-06-02
We have a small office with Server 2008 r2, all workstations are Windows.

We need to encrypt all files created within the domain.  The server has 2 partitions one for data the other for the operating system.

The server has 2 partitions the "C" drive has the operating system and a small amount of programs.  The "D" drive has the other programs and a folder with multiple sub folders that has all the data.

I do not want to enter a passphrase each time the server boots
I do not want to have to create a special boot disk with special drivers, if possible
I would prefer to encrypt only the "Data" Folder, I would prefer not to encrypt the programs
Backups of the "Data" folder have to be encrypted
The files need to be available to other employees based on the file share rules
Encryption/Decryption  occurs on the server
Product has to be Symantec PGP

Let me know what other detils you might need to help

Thanks for the help
0
Comment
Question by:c7c4c7
  • 5
  • 4
  • 4
13 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Hi.

I think I can help you out as we have realized server encryption "hands free" with all our servers. But first some questions for you to answer:
-why do you limit yourself to PGP (which is a product we use for the clients, by the way, I know it very well)? [You cannot solve this with PGP, it does not offer this yet.]
-would it be possible to virtualize the server?
-what are you protecting against?
-is there at least one physically secured room at your company where you would not need to fear theft?
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Exactly, PGP won't fit the bill, if there is a specific requirement let us know, but "seemless" encryption is a non-starter for pgp. Do you want to protect LT's from being accessed should they be lost or stolen?
Security is a process and not a program/product. Storing "all files created" in an encrypted form is a lofty goal.
There are other questions of scope... like do you also want to encrypt temporary files the OS creates, they may be in unencrypted places like the other partition, think pagefile and c:\temp for examples. M$ word also creates temp files when it opens them right next to the file your working on, but that can sometimes be found in the pagefile in plain-text on the remote computer... There is a lot more to it than making an encrypted folder...
This kind of goes over possible "leaks", and it's true of any other product as well...
http://www.truecrypt.org/docs/?s=security-requirements-and-precautions
-rich
0
 

Author Comment

by:c7c4c7
Comment Utility
-why do you limit yourself to PGP (which is a product we use for the clients, by the way, I know it very well)? [You cannot solve this with PGP, it does not offer this yet.]

PGP is the only encryption software allowed by the governing body


-would it be possible to virtualize the server?
Never thought of that, what would this do for us


-what are you protecting against?
The server being stolen and the customer data stolen

-is there at least one physically secured room at your company where you would not need to fear theft?

No
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Virtualization: this would allow you to squeeze the whole OS into an encrypted container, including all files. Passwords would still need to be provided, of course. That's why I asked for secured rooms. My thought was (that's what we are doing) to keep keyfiles on a fileshare of a physically secured computer. The keyfiles act as passwords. If the server is stolen, it will no longer have contact to the keyfile server and cannot be decrypted.
But if there is no physical security at all, this would not work out.
You could only try to use an internet-based keyserver and somehow make that keyserver only accessible to requests from within your company.

By the way, I wonder why only PGP is allowed - does it hold any exclusive certificates? Not that I know of. From other governments (mine for example) perspectives it is not allowed for data of a certain class.

Thing is: pgp does not know keyfiles on the command line and keyfiles would literally be the key to solving your problem.
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
PGP is not the only approved software, what regulation or control are you trying to satisfy? FISMA 800-37, FedRAMP and others all have rules to abide by but do not mandate what software is required. Institutions can however make that part of the SLA or requirements, but there is no US control for PGP only encrypted disks.
800-111 explains that in great detail: http://csrc.nist.gov/publications/nistpubs/800-111/SP800-111.pdf HIPAA also says the same sorts of things, to use NIST 140-2 approved encryption products.
If your mandated/forced to use PGP for whatever reason, then your requirements could be met, but your security isn't guranteed. You can PGP encrypt the DATA drive, and no password prompt will show up when you boot up, however, to use the DATA drive you would have to enter a password or have the key to input so that the drive/partition could be mounted by the OS. Once the OS mounts the drive, while it is encrypted technically, the key to decrypt is in memory, and the drive looks like any other to the OS, it doesn't know it's encrypted. So the users or an attacker on a users computer could be free to copy the data, as again it's mounted and looks like any other file/folder/partition to the OS. Customer data is not protected by PGP or any other product while that drive is mounted. just so you know. There are other controls, like file/folder permissions, perhaps DB controls as well, depends on the data, but the encryption ONLY protects you if someone powered the server off and stole it. These are called OFFLINE attacks. It's the most remote possible scenario for most companies. Your backup's would not be encrypted unless you backing up the file/folder/partition when it's not mounted...
So that part is up to your backup software. There are a lot more scenarios, let me know if you have questions about what's been said so far.
-rich (---> Gov't Security Contractor) *You might not be in the US, so maybe it is required*
0
 

Author Comment

by:c7c4c7
Comment Utility
Encryption of the Server is not currently mandated but we expect it to happen in the near future.  So even though we do not have to technically do anything at this point we are trying to get ahead of the curve and we do not want to have to do it twice.  That is why we are sticking with PGP.  PGP is the only encryption software certified by the parent company, generally they limit the number of products they certify and do not range throughout the industry certifying many products as it costs them money.  How they decide on one rather than another product is beyond me.

Primarily we are trying to guard against theft.  Folder permissions are used where necessary.  Currently WDE is required but we are trying to get an exemption because of the password issue and the need for a special boot disk with special drivers should there be a problem, there is not a tech onsite at all times.  I was not aware that there would have to be human intervention to mount the "D" drive before it could be used, makes the effort to not use WDE a waste of time unless it could safely be scripted.

You mentioned Truecrypt as an alternative, how would that change the picture?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Key and or password management is the only safeguard you have, and if your having it input automatically by a script, then the key/password are in plain-text, thus the theft of the server will result in the theft of your data, as the server will just open the DATA share for the attacker when it's booted up. That's why FDE is a pain, because it has to be, full disk encryption has to be the way it is to remain somewhat secure. I can go on about the holes that may still exist... Perhaps you'd like to look at YubiKey's for your full disk encryption password problem, it only takes a a physical touch not a password.
The Yubikey will store a long complicated password, no one needs to know what it is, but they do have to have physical usb token. So REMOVE the token whenever the booting is done, and place it back in when you need to reboot.
I understand the mandate to use a certain software, and for exceptions that might need to be made. TC is not certified but uses certified OpenSSL libraries underneath, it's no better or worse than PGP other than the endorsement/certification portions. PGP has a central management aspect that TrueCrypt or FreeOTFE do not have.
http://www.yubico.com/products/yubikey-hardware/yubikey/
It (yubikey)works anywhere you need a password, just plug it in, click where you need the password entered, and press the button on the yubikey, and the password is entered. The yubikey uses a very well understood keyboard driver, and simulates pressing keys on a kb. Thus it is also possible to have a keystroke logger capture the data, but that's the same if you type it in...
-rich
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
But remember that such a hardware-key-solution will have to be constantly removed and if removed, it cannot reboot hands-free. If the server bluescreened or you would like to reboot it from remote for patching, it can't start. I don't think you want that.
0
 
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
You could if you didn't have FDE on the boot partition. Then the physical key, which only enters a password without the need to remember what it is, should be kept under lock and key. I don't know of a secure way of mounting and encrypted container unless using an HSM or other key management, and PGP lacks that ability. You can use HSM's and key management with databases that are encrypted, because they have API's designed to deal with encryption, M$ files and folders do not.
I suggested the physical key to remember the complex password, and potentially allow just about anyone on site to boot up the machine without having to reveal the password to people who aren't authorized to have it. It can be changed/reprogrammed after they have used it.
-rich
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Time for a plan...

To sum this up:
-you are bound to PGP WDE.
-PGP cannot offer what you need. So either you wait for PGP to offer this in another version or you loosen the binding to "certified" products.
-If you did, you would have some methods that can be called "hands-free" if you were only able to provide at least one physically secured computer, even if it were internet based.

So decide on how to progress or we'll lose ourselves in details :)

PS: another, yet unmentioned method for hands-free would be Bitlocker with TPM... this however will not be certified, I guess, so I skip the details until you decide.
0
 

Author Comment

by:c7c4c7
Comment Utility
Here is the immediate plan, install a lockable door.  Build a test environment and see the differences between Truecrypt and PGP.  

Try to get as close as possible to where we want to be and let the industry improve over time.  I doubt we are the only group that have this problem.

Thanks for the help.
0
 

Author Closing Comment

by:c7c4c7
Comment Utility
Thanks for the help, you brought forward some interesting points.  We will get more familiar with the area and post more questions if necessary.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
To make it complete: What PGP knows is the command line. you could go about and establish a batch file that does the hands-free mounting for you. However, that batch file would have to be secured as it holds the password in plain text. So you could put it on an internet based webserver that is only accessible from the fixed IP addresses your provider gave you. A scheduled task would download and use it, then delete it.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now