c7c4c7
asked on
What are PGP File Share best practices for only the data on the server
We have a small office with Server 2008 r2, all workstations are Windows.
We need to encrypt all files created within the domain. The server has 2 partitions one for data the other for the operating system.
The server has 2 partitions the "C" drive has the operating system and a small amount of programs. The "D" drive has the other programs and a folder with multiple sub folders that has all the data.
I do not want to enter a passphrase each time the server boots
I do not want to have to create a special boot disk with special drivers, if possible
I would prefer to encrypt only the "Data" Folder, I would prefer not to encrypt the programs
Backups of the "Data" folder have to be encrypted
The files need to be available to other employees based on the file share rules
Encryption/Decryption occurs on the server
Product has to be Symantec PGP
Let me know what other detils you might need to help
Thanks for the help
We need to encrypt all files created within the domain. The server has 2 partitions one for data the other for the operating system.
The server has 2 partitions the "C" drive has the operating system and a small amount of programs. The "D" drive has the other programs and a folder with multiple sub folders that has all the data.
I do not want to enter a passphrase each time the server boots
I do not want to have to create a special boot disk with special drivers, if possible
I would prefer to encrypt only the "Data" Folder, I would prefer not to encrypt the programs
Backups of the "Data" folder have to be encrypted
The files need to be available to other employees based on the file share rules
Encryption/Decryption occurs on the server
Product has to be Symantec PGP
Let me know what other detils you might need to help
Thanks for the help
Exactly, PGP won't fit the bill, if there is a specific requirement let us know, but "seemless" encryption is a non-starter for pgp. Do you want to protect LT's from being accessed should they be lost or stolen?
Security is a process and not a program/product. Storing "all files created" in an encrypted form is a lofty goal.
There are other questions of scope... like do you also want to encrypt temporary files the OS creates, they may be in unencrypted places like the other partition, think pagefile and c:\temp for examples. M$ word also creates temp files when it opens them right next to the file your working on, but that can sometimes be found in the pagefile in plain-text on the remote computer... There is a lot more to it than making an encrypted folder...
This kind of goes over possible "leaks", and it's true of any other product as well...
http://www.truecrypt.org/docs/?s=security-requirements-and-precautions
-rich
Security is a process and not a program/product. Storing "all files created" in an encrypted form is a lofty goal.
There are other questions of scope... like do you also want to encrypt temporary files the OS creates, they may be in unencrypted places like the other partition, think pagefile and c:\temp for examples. M$ word also creates temp files when it opens them right next to the file your working on, but that can sometimes be found in the pagefile in plain-text on the remote computer... There is a lot more to it than making an encrypted folder...
This kind of goes over possible "leaks", and it's true of any other product as well...
http://www.truecrypt.org/docs/?s=security-requirements-and-precautions
-rich
ASKER
-why do you limit yourself to PGP (which is a product we use for the clients, by the way, I know it very well)? [You cannot solve this with PGP, it does not offer this yet.]
PGP is the only encryption software allowed by the governing body
-would it be possible to virtualize the server?
Never thought of that, what would this do for us
-what are you protecting against?
The server being stolen and the customer data stolen
-is there at least one physically secured room at your company where you would not need to fear theft?
No
PGP is the only encryption software allowed by the governing body
-would it be possible to virtualize the server?
Never thought of that, what would this do for us
-what are you protecting against?
The server being stolen and the customer data stolen
-is there at least one physically secured room at your company where you would not need to fear theft?
No
Virtualization: this would allow you to squeeze the whole OS into an encrypted container, including all files. Passwords would still need to be provided, of course. That's why I asked for secured rooms. My thought was (that's what we are doing) to keep keyfiles on a fileshare of a physically secured computer. The keyfiles act as passwords. If the server is stolen, it will no longer have contact to the keyfile server and cannot be decrypted.
But if there is no physical security at all, this would not work out.
You could only try to use an internet-based keyserver and somehow make that keyserver only accessible to requests from within your company.
By the way, I wonder why only PGP is allowed - does it hold any exclusive certificates? Not that I know of. From other governments (mine for example) perspectives it is not allowed for data of a certain class.
Thing is: pgp does not know keyfiles on the command line and keyfiles would literally be the key to solving your problem.
But if there is no physical security at all, this would not work out.
You could only try to use an internet-based keyserver and somehow make that keyserver only accessible to requests from within your company.
By the way, I wonder why only PGP is allowed - does it hold any exclusive certificates? Not that I know of. From other governments (mine for example) perspectives it is not allowed for data of a certain class.
Thing is: pgp does not know keyfiles on the command line and keyfiles would literally be the key to solving your problem.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Encryption of the Server is not currently mandated but we expect it to happen in the near future. So even though we do not have to technically do anything at this point we are trying to get ahead of the curve and we do not want to have to do it twice. That is why we are sticking with PGP. PGP is the only encryption software certified by the parent company, generally they limit the number of products they certify and do not range throughout the industry certifying many products as it costs them money. How they decide on one rather than another product is beyond me.
Primarily we are trying to guard against theft. Folder permissions are used where necessary. Currently WDE is required but we are trying to get an exemption because of the password issue and the need for a special boot disk with special drivers should there be a problem, there is not a tech onsite at all times. I was not aware that there would have to be human intervention to mount the "D" drive before it could be used, makes the effort to not use WDE a waste of time unless it could safely be scripted.
You mentioned Truecrypt as an alternative, how would that change the picture?
Primarily we are trying to guard against theft. Folder permissions are used where necessary. Currently WDE is required but we are trying to get an exemption because of the password issue and the need for a special boot disk with special drivers should there be a problem, there is not a tech onsite at all times. I was not aware that there would have to be human intervention to mount the "D" drive before it could be used, makes the effort to not use WDE a waste of time unless it could safely be scripted.
You mentioned Truecrypt as an alternative, how would that change the picture?
Key and or password management is the only safeguard you have, and if your having it input automatically by a script, then the key/password are in plain-text, thus the theft of the server will result in the theft of your data, as the server will just open the DATA share for the attacker when it's booted up. That's why FDE is a pain, because it has to be, full disk encryption has to be the way it is to remain somewhat secure. I can go on about the holes that may still exist... Perhaps you'd like to look at YubiKey's for your full disk encryption password problem, it only takes a a physical touch not a password.
The Yubikey will store a long complicated password, no one needs to know what it is, but they do have to have physical usb token. So REMOVE the token whenever the booting is done, and place it back in when you need to reboot.
I understand the mandate to use a certain software, and for exceptions that might need to be made. TC is not certified but uses certified OpenSSL libraries underneath, it's no better or worse than PGP other than the endorsement/certification portions. PGP has a central management aspect that TrueCrypt or FreeOTFE do not have.
http://www.yubico.com/products/yubikey-hardware/yubikey/
It (yubikey)works anywhere you need a password, just plug it in, click where you need the password entered, and press the button on the yubikey, and the password is entered. The yubikey uses a very well understood keyboard driver, and simulates pressing keys on a kb. Thus it is also possible to have a keystroke logger capture the data, but that's the same if you type it in...
-rich
The Yubikey will store a long complicated password, no one needs to know what it is, but they do have to have physical usb token. So REMOVE the token whenever the booting is done, and place it back in when you need to reboot.
I understand the mandate to use a certain software, and for exceptions that might need to be made. TC is not certified but uses certified OpenSSL libraries underneath, it's no better or worse than PGP other than the endorsement/certification portions. PGP has a central management aspect that TrueCrypt or FreeOTFE do not have.
http://www.yubico.com/products/yubikey-hardware/yubikey/
It (yubikey)works anywhere you need a password, just plug it in, click where you need the password entered, and press the button on the yubikey, and the password is entered. The yubikey uses a very well understood keyboard driver, and simulates pressing keys on a kb. Thus it is also possible to have a keystroke logger capture the data, but that's the same if you type it in...
-rich
But remember that such a hardware-key-solution will have to be constantly removed and if removed, it cannot reboot hands-free. If the server bluescreened or you would like to reboot it from remote for patching, it can't start. I don't think you want that.
You could if you didn't have FDE on the boot partition. Then the physical key, which only enters a password without the need to remember what it is, should be kept under lock and key. I don't know of a secure way of mounting and encrypted container unless using an HSM or other key management, and PGP lacks that ability. You can use HSM's and key management with databases that are encrypted, because they have API's designed to deal with encryption, M$ files and folders do not.
I suggested the physical key to remember the complex password, and potentially allow just about anyone on site to boot up the machine without having to reveal the password to people who aren't authorized to have it. It can be changed/reprogrammed after they have used it.
-rich
I suggested the physical key to remember the complex password, and potentially allow just about anyone on site to boot up the machine without having to reveal the password to people who aren't authorized to have it. It can be changed/reprogrammed after they have used it.
-rich
Time for a plan...
To sum this up:
-you are bound to PGP WDE.
-PGP cannot offer what you need. So either you wait for PGP to offer this in another version or you loosen the binding to "certified" products.
-If you did, you would have some methods that can be called "hands-free" if you were only able to provide at least one physically secured computer, even if it were internet based.
So decide on how to progress or we'll lose ourselves in details :)
PS: another, yet unmentioned method for hands-free would be Bitlocker with TPM... this however will not be certified, I guess, so I skip the details until you decide.
To sum this up:
-you are bound to PGP WDE.
-PGP cannot offer what you need. So either you wait for PGP to offer this in another version or you loosen the binding to "certified" products.
-If you did, you would have some methods that can be called "hands-free" if you were only able to provide at least one physically secured computer, even if it were internet based.
So decide on how to progress or we'll lose ourselves in details :)
PS: another, yet unmentioned method for hands-free would be Bitlocker with TPM... this however will not be certified, I guess, so I skip the details until you decide.
ASKER
Here is the immediate plan, install a lockable door. Build a test environment and see the differences between Truecrypt and PGP.
Try to get as close as possible to where we want to be and let the industry improve over time. I doubt we are the only group that have this problem.
Thanks for the help.
Try to get as close as possible to where we want to be and let the industry improve over time. I doubt we are the only group that have this problem.
Thanks for the help.
ASKER
Thanks for the help, you brought forward some interesting points. We will get more familiar with the area and post more questions if necessary.
To make it complete: What PGP knows is the command line. you could go about and establish a batch file that does the hands-free mounting for you. However, that batch file would have to be secured as it holds the password in plain text. So you could put it on an internet based webserver that is only accessible from the fixed IP addresses your provider gave you. A scheduled task would download and use it, then delete it.
I think I can help you out as we have realized server encryption "hands free" with all our servers. But first some questions for you to answer:
-why do you limit yourself to PGP (which is a product we use for the clients, by the way, I know it very well)? [You cannot solve this with PGP, it does not offer this yet.]
-would it be possible to virtualize the server?
-what are you protecting against?
-is there at least one physically secured room at your company where you would not need to fear theft?