Solved

TrueCrypt vs Jettico vs Neither on a server

Posted on 2013-12-08
16
649 Views
Last Modified: 2016-11-23
Hi experts,

I have an SBS 2008 Standard server soon to be SBS 2011 Standard (unless I go with Server 2012 and Hyper-V). But, for now the above. It is on a Dell PowerEdge 2900 with a RAID 1 for the OS and a RAID 5 for the data.

It currently has ESET NOD32 Enterprise A/V with full exclusions for Exchange, etc. It is backed up with the SBS Imaging Backup which is encrypted.

The problem (well it should be a problem anyway) is that I am a physician and HIPAA now mandates that PHI (patient health information) be encrypted.

From my understanding, TrueCrypt is free (not sure for commercial use or not) and encrypts the data only when the server or computer is not in use. Jetico (pay for) also encrypts the data when the server or computer is off.

This is the most important since the main objective would be if someone were to steal the hard drives, the data would be encrypted. In talking to Jetico, I "think" they also have a solution whereby files are encrypted while the server is in use. This, I suppose, would only be useful to combat viruses or malware such as Cryptolocker. The encrypted backup would be useful if Cryptolocker were to get on the server, but that is an added hassle.

I also think SBS 2008 has bit locker, but I know very little about it, which is probably the reason I am not using it.

I have also been told by a very knowledgeable person who sets up quite a few SBS and other Microsoft OSs, that it can cause a performance hit as well as even corrupt files.

So, my questions are:

1. How likely is it that a properly set up encryption program could hurt server data files?
2. How much of a performance hit would their be?
3. Of the three options for encryption, which would be best in your opinion?
4. Would you even consider using the Jetico option of encryption while the server is running?

Thanks.

Bert
0
Comment
Question by:Bert2005
  • 9
  • 4
  • 2
  • +1
16 Comments
 
LVL 11

Assisted Solution

by:Technodweeb
Technodweeb earned 150 total points
ID: 39705125
I do not have an answer for your encryption question but as far as a virus, malware or ransomware attack, the files will still be vulnerable as long as they keep their original extension names, and even then, maybe not.

Threats like CryptoLocker search out and encrypt files with specific extensions. Lets say you have a Word doc with .DOC extension on your server that has been encrypted by any encryption program, that file is still a file to the network and OS and can thus be acted on as a file. Encrypting an encrypted file can be done. Think of zipping and already zipped file. You can do it as many times as you want. Do not fall victim to a false sense of safety.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39705133
Hi Technodweeb,

Thanks. That is great advice. Basically answers the #4. Thanks for your time.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39705135
Everything in medicine (and probably IT) is risk/benefit. I have had a network for over ten years and never had someone steal a hard drive, Then again, there is always a first. We do all these backups and A/V and the biggest threat is the cleaning crew. Of course, it would be smart to have a locked up enclosure, but not all of us lease a building where that is feasible.

There was a clinic in Alabama I believe where an employee took a laptop home wasn't encrypted. It was stolen. They got a HUGE fine. Of course, this is why I have always advised other users of the EMR program to not take a backup home on a Flash drive. How many have I lost?

A Dell PowerEdge weighs nearly 50 lbs (guess), but the hot swappable drives are rather easy to take out.
0
 
LVL 47

Accepted Solution

by:
dlethe earned 350 total points
ID: 39705139
You are running RAID1, so things change big time.  In the windows world, you're going to have to go with a hardware RAID controller that supports HDDs with hardware encryption.

There will be zero performance penalty, and if they physically steal the HDDs, then they will have gibberish, with zero chance of recovery unless they have millions of dollars worth of hardware and a few thousand years of time on their hands.

However, cost for a controller that supports the hardware encryption is more than you are going to want to pay.

So, bottom line, spend your money on an independent security consultant. You are much more likely to get hacked by social engineering or stupid end-users.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39705159
Thanks dlethe,

Not great news, but intelligent news.

Wow. I have two Dell Perc 6/i Raid cards, which my guess tells me is not the expensive one you are referring to.

When you say running RAID1, are you referring to RAID, in general, or specifically RAID1? I ask because I have a RAID5 for the data which is all that would need to be encrypted.
0
 
LVL 1

Author Closing Comment

by:Bert2005
ID: 39705225
Perfect answers when put together. Thanks. I would have to say that trying to encrypt the RAID 5 would still affect the RAID 1. Probably no difference any way.
0
 
LVL 47

Expert Comment

by:dlethe
ID: 39705253
Any RAID level is going to have problems unless you have the right type of controller and disks. You're talking a few thousand dollars minimum for an entry-level config.  

The TCG self-encrypting drives cost more than the standard enterprise drives, heck. A single SED disk drive costs you more than that pair of PERC 6i controllers you have.

http://www.lsi.com/products/raid-controllers/pages/megaraid-safestore-software.aspx
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39705258
Guess, I'll just stay unencrypted. I am going to be getting a new server soon. Maybe I'll pay a few, well more than a few, bucks more.

Thanks.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 53

Expert Comment

by:McKnife
ID: 39745534
If I may add...
You should not stay unencrypted if  HIPAA now mandates that PHI (patient health information) be encrypted.
1) We need to backup important data - losing data by encrypting it and having technical problems with the encryption is just another small reason to justify thorough backups. So encryption does not change the game here.
2) You will have a very hard time finding anyone that does find encrypted data/encr. drives to be slower accessible. Really hard to find though measurable. So leave that thought alone.
3) The "best-question" is always my favorite... NOT ;) Let's talk about the crucial point and then decide: if the data resides on a server and that server is left alone - who would enter the key when the server reboots? This cannot be done hands-free without some tricks. But if you need it to be hands-free, there could indeed be a "best" solution. So please tell me where your data resides (on all partitions or just on a data partition or would hipaa force you to encrypt the whole system?)?
4)has been answered.

PS:Self encrypting drives would need a key to be entered as well.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39745557
Thanks McKnife,

I have the RAID1 system drive.

The RAID5 is a completely separate drive, which is partitioned into three partitions but, obviously one drive. These are D: data, E: installs and F: Extra.

The only thing that would need to be encrypted would be the data.

Thanks.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39748061
Ok, a single partition, fine. And what about the encr. key, how would be the concept of providing it in case the server reboots? Manually ok, or would that HAVE to be automated? Think about it, that might be the crucial point, there would have to be people at hand that know the key and have physical or remote interactive access to the server.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39750535
Well I doubt I will give access to anyone when it comes to the server.

So, a server with encrypted drives can't be simply rebooted? I thought when the server was off, the drives would be encrypted, which was the whole point.

Thanks for your help.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39751376
When the server is off, the drives are encrypted, yes. Before the data is usable, the encryption key has to be provided, that should be understood. We can set it up to be provided manually or automatically. Automatically does not imply that this method will be insecure although it sounds so.

You could set it up to get the key by means of a key file. This file would be used whenever the computer starts and the drive(s) will be unlocked. You would only need to make sure that a possible thief may not get hold of that file.

We use it like this. The keyfiles reside on another computer that is physically very well secured. Whenever the server with the encrypted partition starts, it fetches the keyfile from that secured server automatically via network share. When stolen, that share is not accessible, so the drive remains locked.

I hope you understand. This method can be used with truecrypt or disk cryptor for example - both support key files and are free.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39752254
That sounds perfect. I am sure it would pass HIPAA standards. I wish I could give you some points.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39752279
[It's about helping, not about points. Points are ruining the quality of the forum, if you ask me. Of course there are some good people that get attracted by the competition. But the negative effects outweigh the positive ones. People don't work together but often don't even read other "experts'" comments before (eagerly) adding their own :) ]

So if you need help setting it up, just whistle, I have the syntax ready.
0
 
LVL 1

Author Comment

by:Bert2005
ID: 39752916
Thanks McKnife. I will do just that.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now