Looking for an encryption solution
Posted on 2014-01-07
We have a client who has a Server 2008 R2 box acting as DC and Exchange server as well as a 2003 Terminal Server which we will be replacing soon with a 2012 RDS server. There are approximately 20 workstations, and about 5 of them are laptops. All have been replaced within the last year and are Windows 7 Pro machines - all Dell hardware.
The customer has approached us with security concerns. They want to, in their words, "encrypt all the workstations". They originally wanted to encrypt the server as well but after talking to them, we learned they really only need one share/volume encrypted on the server (it is a requirement for some data from a 3rd party they work with). Personally, I think all of this is way overkill with the exception of the laptops and the share/volume on the server - I understand the need for security there.
I have used TrueCrypt and Bitlocker briefly in the past, but I'm not sure either of these options would really work for us. Bitlocker is an option for the laptops but would require upgrading to Ultimate, and I haven't heard many good things about TrueCrypt. I did set up a Bitlocker-encrypted partition on the server and shared it out, but if the server is rebooted it needs to be "unlocked" from the server which I don't think would work too well for them. Does anyone have any suggestions? A solution which could be AD-integrated would be ideal. The best solution would be seamless, as users don't want to have to remember an additional password and we are concerned about data recovery should a system fail or other circumstances. We also don't want noticeable performance degradation.
In summary, we are looking for a solution or solutions which will allow a share on the server to be encrypted to store sensitive information, as well as a solution for the workstations (specifically the laptops - not convinced the desktops need it, feel free to convince me otherwise) which will provide data security in case a machine is lost or stolen BUT will allow for data recovery should hardware fail. Suggestions are much appreciated.