TrueCrypt vs Jettico vs Neither on a server
Hi experts,
I have an SBS 2008 Standard server soon to be SBS 2011 Standard (unless I go with Server 2012 and Hyper-V). But, for now the above. It is on a Dell PowerEdge 2900 with a RAID 1 for the OS and a RAID 5 for the data.
It currently has ESET NOD32 Enterprise A/V with full exclusions for Exchange, etc. It is backed up with the SBS Imaging Backup which is encrypted.
The problem (well it should be a problem anyway) is that I am a physician and HIPAA now mandates that PHI (patient health information) be encrypted.
From my understanding, TrueCrypt is free (not sure for commercial use or not) and encrypts the data only when the server or computer is not in use. Jetico (pay for) also encrypts the data when the server or computer is off.
This is the most important since the main objective would be if someone were to steal the hard drives, the data would be encrypted. In talking to Jetico, I "think" they also have a solution whereby files are encrypted while the server is in use. This, I suppose, would only be useful to combat viruses or malware such as Cryptolocker. The encrypted backup would be useful if Cryptolocker were to get on the server, but that is an added hassle.
I also think SBS 2008 has bit locker, but I know very little about it, which is probably the reason I am not using it.
I have also been told by a very knowledgeable person who sets up quite a few SBS and other Microsoft OSs, that it can cause a performance hit as well as even corrupt files.
So, my questions are:
1. How likely is it that a properly set up encryption program could hurt server data files?
2. How much of a performance hit would their be?
3. Of the three options for encryption, which would be best in your opinion?
4. Would you even consider using the Jetico option of encryption while the server is running?
Thanks.
Bert
I have an SBS 2008 Standard server soon to be SBS 2011 Standard (unless I go with Server 2012 and Hyper-V). But, for now the above. It is on a Dell PowerEdge 2900 with a RAID 1 for the OS and a RAID 5 for the data.
It currently has ESET NOD32 Enterprise A/V with full exclusions for Exchange, etc. It is backed up with the SBS Imaging Backup which is encrypted.
The problem (well it should be a problem anyway) is that I am a physician and HIPAA now mandates that PHI (patient health information) be encrypted.
From my understanding, TrueCrypt is free (not sure for commercial use or not) and encrypts the data only when the server or computer is not in use. Jetico (pay for) also encrypts the data when the server or computer is off.
This is the most important since the main objective would be if someone were to steal the hard drives, the data would be encrypted. In talking to Jetico, I "think" they also have a solution whereby files are encrypted while the server is in use. This, I suppose, would only be useful to combat viruses or malware such as Cryptolocker. The encrypted backup would be useful if Cryptolocker were to get on the server, but that is an added hassle.
I also think SBS 2008 has bit locker, but I know very little about it, which is probably the reason I am not using it.
I have also been told by a very knowledgeable person who sets up quite a few SBS and other Microsoft OSs, that it can cause a performance hit as well as even corrupt files.
So, my questions are:
1. How likely is it that a properly set up encryption program could hurt server data files?
2. How much of a performance hit would their be?
3. Of the three options for encryption, which would be best in your opinion?
4. Would you even consider using the Jetico option of encryption while the server is running?
Thanks.
Bert
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Everything in medicine (and probably IT) is risk/benefit. I have had a network for over ten years and never had someone steal a hard drive, Then again, there is always a first. We do all these backups and A/V and the biggest threat is the cleaning crew. Of course, it would be smart to have a locked up enclosure, but not all of us lease a building where that is feasible.
There was a clinic in Alabama I believe where an employee took a laptop home wasn't encrypted. It was stolen. They got a HUGE fine. Of course, this is why I have always advised other users of the EMR program to not take a backup home on a Flash drive. How many have I lost?
A Dell PowerEdge weighs nearly 50 lbs (guess), but the hot swappable drives are rather easy to take out.
There was a clinic in Alabama I believe where an employee took a laptop home wasn't encrypted. It was stolen. They got a HUGE fine. Of course, this is why I have always advised other users of the EMR program to not take a backup home on a Flash drive. How many have I lost?
A Dell PowerEdge weighs nearly 50 lbs (guess), but the hot swappable drives are rather easy to take out.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks dlethe,
Not great news, but intelligent news.
Wow. I have two Dell Perc 6/i Raid cards, which my guess tells me is not the expensive one you are referring to.
When you say running RAID1, are you referring to RAID, in general, or specifically RAID1? I ask because I have a RAID5 for the data which is all that would need to be encrypted.
Not great news, but intelligent news.
Wow. I have two Dell Perc 6/i Raid cards, which my guess tells me is not the expensive one you are referring to.
When you say running RAID1, are you referring to RAID, in general, or specifically RAID1? I ask because I have a RAID5 for the data which is all that would need to be encrypted.
ASKER
Perfect answers when put together. Thanks. I would have to say that trying to encrypt the RAID 5 would still affect the RAID 1. Probably no difference any way.
Any RAID level is going to have problems unless you have the right type of controller and disks. You're talking a few thousand dollars minimum for an entry-level config.
The TCG self-encrypting drives cost more than the standard enterprise drives, heck. A single SED disk drive costs you more than that pair of PERC 6i controllers you have.
http://www.lsi.com/products/raid-controllers/pages/megaraid-safestore-software.aspx
The TCG self-encrypting drives cost more than the standard enterprise drives, heck. A single SED disk drive costs you more than that pair of PERC 6i controllers you have.
http://www.lsi.com/products/raid-controllers/pages/megaraid-safestore-software.aspx
ASKER
Guess, I'll just stay unencrypted. I am going to be getting a new server soon. Maybe I'll pay a few, well more than a few, bucks more.
Thanks.
Thanks.
If I may add...
You should not stay unencrypted if HIPAA now mandates that PHI (patient health information) be encrypted.
1) We need to backup important data - losing data by encrypting it and having technical problems with the encryption is just another small reason to justify thorough backups. So encryption does not change the game here.
2) You will have a very hard time finding anyone that does find encrypted data/encr. drives to be slower accessible. Really hard to find though measurable. So leave that thought alone.
3) The "best-question" is always my favorite... NOT ;) Let's talk about the crucial point and then decide: if the data resides on a server and that server is left alone - who would enter the key when the server reboots? This cannot be done hands-free without some tricks. But if you need it to be hands-free, there could indeed be a "best" solution. So please tell me where your data resides (on all partitions or just on a data partition or would hipaa force you to encrypt the whole system?)?
4)has been answered.
PS:Self encrypting drives would need a key to be entered as well.
You should not stay unencrypted if HIPAA now mandates that PHI (patient health information) be encrypted.
1) We need to backup important data - losing data by encrypting it and having technical problems with the encryption is just another small reason to justify thorough backups. So encryption does not change the game here.
2) You will have a very hard time finding anyone that does find encrypted data/encr. drives to be slower accessible. Really hard to find though measurable. So leave that thought alone.
3) The "best-question" is always my favorite... NOT ;) Let's talk about the crucial point and then decide: if the data resides on a server and that server is left alone - who would enter the key when the server reboots? This cannot be done hands-free without some tricks. But if you need it to be hands-free, there could indeed be a "best" solution. So please tell me where your data resides (on all partitions or just on a data partition or would hipaa force you to encrypt the whole system?)?
4)has been answered.
PS:Self encrypting drives would need a key to be entered as well.
ASKER
Thanks McKnife,
I have the RAID1 system drive.
The RAID5 is a completely separate drive, which is partitioned into three partitions but, obviously one drive. These are D: data, E: installs and F: Extra.
The only thing that would need to be encrypted would be the data.
Thanks.
I have the RAID1 system drive.
The RAID5 is a completely separate drive, which is partitioned into three partitions but, obviously one drive. These are D: data, E: installs and F: Extra.
The only thing that would need to be encrypted would be the data.
Thanks.
Ok, a single partition, fine. And what about the encr. key, how would be the concept of providing it in case the server reboots? Manually ok, or would that HAVE to be automated? Think about it, that might be the crucial point, there would have to be people at hand that know the key and have physical or remote interactive access to the server.
ASKER
Well I doubt I will give access to anyone when it comes to the server.
So, a server with encrypted drives can't be simply rebooted? I thought when the server was off, the drives would be encrypted, which was the whole point.
Thanks for your help.
So, a server with encrypted drives can't be simply rebooted? I thought when the server was off, the drives would be encrypted, which was the whole point.
Thanks for your help.
When the server is off, the drives are encrypted, yes. Before the data is usable, the encryption key has to be provided, that should be understood. We can set it up to be provided manually or automatically. Automatically does not imply that this method will be insecure although it sounds so.
You could set it up to get the key by means of a key file. This file would be used whenever the computer starts and the drive(s) will be unlocked. You would only need to make sure that a possible thief may not get hold of that file.
We use it like this. The keyfiles reside on another computer that is physically very well secured. Whenever the server with the encrypted partition starts, it fetches the keyfile from that secured server automatically via network share. When stolen, that share is not accessible, so the drive remains locked.
I hope you understand. This method can be used with truecrypt or disk cryptor for example - both support key files and are free.
You could set it up to get the key by means of a key file. This file would be used whenever the computer starts and the drive(s) will be unlocked. You would only need to make sure that a possible thief may not get hold of that file.
We use it like this. The keyfiles reside on another computer that is physically very well secured. Whenever the server with the encrypted partition starts, it fetches the keyfile from that secured server automatically via network share. When stolen, that share is not accessible, so the drive remains locked.
I hope you understand. This method can be used with truecrypt or disk cryptor for example - both support key files and are free.
ASKER
That sounds perfect. I am sure it would pass HIPAA standards. I wish I could give you some points.
[It's about helping, not about points. Points are ruining the quality of the forum, if you ask me. Of course there are some good people that get attracted by the competition. But the negative effects outweigh the positive ones. People don't work together but often don't even read other "experts'" comments before (eagerly) adding their own :) ]
So if you need help setting it up, just whistle, I have the syntax ready.
So if you need help setting it up, just whistle, I have the syntax ready.
ASKER
Thanks McKnife. I will do just that.
ASKER
Thanks. That is great advice. Basically answers the #4. Thanks for your time.