Looking for an encryption solution

We have a client who has a Server 2008 R2 box acting as DC and Exchange server as well as a 2003 Terminal Server which we will be replacing soon with a 2012 RDS server.  There are approximately 20 workstations, and about 5 of them are laptops.  All have been replaced within the last year and are Windows 7 Pro machines - all Dell hardware.

The customer has approached us with security concerns.  They want to, in their words, "encrypt all the workstations".  They originally wanted to encrypt the server as well but after talking to them, we learned they really only need one share/volume encrypted on the server (it is a requirement for some data from a 3rd party they work with).  Personally, I think all of this is way overkill with the exception of the laptops and the share/volume on the server - I understand the need for security there.  

I have used TrueCrypt and Bitlocker briefly in the past, but I'm not sure either of these options would really work for us.  Bitlocker is an option for the laptops but would require upgrading to Ultimate, and I haven't heard many good things about TrueCrypt.  I did set up a Bitlocker-encrypted partition on the server and shared it out, but if the server is rebooted it needs to be "unlocked" from the server which I don't think would work too well for them.  Does anyone have any suggestions?  A solution which could be AD-integrated would be ideal.  The best solution would be seamless, as users don't want to have to remember an additional password and we are concerned about data recovery should a system fail or other circumstances.  We also don't want noticeable performance degradation.

In summary, we are looking for a solution or solutions which will allow a share on the server to be encrypted to store sensitive information, as well as a solution for the workstations (specifically the laptops - not convinced the desktops need it, feel free to convince me otherwise) which will provide data security in case a machine is lost or stolen BUT will allow for data recovery should hardware fail.  Suggestions are much appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan CraciunIT ConsultantCommented:
Have you asked your clients what are they trying to achieve? Protection against what?
Is the server in danger of being stolen? Cause in that case an alarm system would be a better choice.
And if they worry about being compromised remotely, encryption won't help, as it's completely transparent to the OS. In other words, once you're in Windows and you mounted the encrypted partition, it's as if the hdd is not encrypted.
If they worry about hardware being confiscated by the authorities, in most countries they'll be legally forced to give up the encryption key anyway.

Plus, recovery from an encrypted and failing hdd is not likely. But that is not a problem, since you have backups anyway. Which backups are independent of the encryption scheme used.

So yes, for laptops it might be a good idea to encrypt the data. Another good idea is to not keep data on the laptops, and instead use a VPN/RDP solution to remote into TS or a local station.

PS: I've been using TrueCrypt for years (I use it to encrypt portable hdds, which are easy to lose), with no issues whatsoever (apart from forgotten passwords).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SundanceRyanAuthor Commented:
Thank you for the response.  You hit on exactly what we've been trying to explain to them.

I did some more planning and research tonight and we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted.  The laptops will use TrueCrypt or Bitlocker and use full-disk encryption.

I'll leave this topic open for a few days in case anyone else has input.
Dirk KotteSECommented:
windows 7 pro enables bitlocker also!
so bitlocker is the simplest way to secure the mobile devices.
at the server we use SafeGuard from Sophos (originally Utimaco).
Works Ad integrated and has a workstation option also.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Dave HoweSoftware and Hardware EngineerCommented:
Truecrypt is currently being more formally evaluated, but nobody has managed to poke any holes in it yet (its one of those open source things that seems too good to be true :)

Downside of Truecrypt is recoverability, but you can work around that easily enough by pre-installing each laptop with a known, common key, making a recovery disk iso (which you then store securely on the server with an offsite backup) then changing the password to a unique one per laptop.

TC on laptops is a very good idea, and given the low number of them, a more formal enterprise class key/unlock management solution is an unnecessary expense (plus of course, any closed-source American ones should be presumed compromised now :)
SundanceRyanAuthor Commented:
Thanks for the input dkotte and DaveHowe.

Dkotte, you are incorrect about Win7 pro and Bitlocker; its one of the differences between 7 Pro and Ultimate.  Bitlocker is only available on Ultimate (and Enterprise) versions of Windows 7.

DaveHowe:  That's a good idea.  I think documentation is going to be key with whatever we do.  Do you notice a significant performance loss with full disk encryption with truecrypt?  I only used it to encrypt a volume on my computer.
Dave HoweSoftware and Hardware EngineerCommented:
I have noticed almost none. In all cases, the bottleneck is the disk drive spindle speed, not the truecrypt (YMMV of course; I use a single layer of AES encryption, if you double or triple that, there would be significant overhead from the crypto moving large files, but again, a modern laptop should be at least dual core and not really need to care so much)
Dirk KotteSECommented:
sorry, mistook pro and enterprise

we may go with a Synology NAS with hardware encryption for the 3rd party data that needs to be encrypted - what would that mean, who would unlock that NAS? Please tell us the exact model number you are looking at.
Dave HoweSoftware and Hardware EngineerCommented:
That's actually a good question - last time I looked at Synology, they were using eCryptFS (a software solution similar to TrueCrypt) and had no hardware solution at all....
SundanceRyanAuthor Commented:
Your device auto-mounts the encrypted container. That is never secure and can be circumvented - if, yes if, the attacker knows what he is doing.
So you should tell us how important it is for you, to get the best out of it.
SundanceRyanAuthor Commented:
I'm looking for a method to encrypt shared data that is also easy and as seamless as possible for the end users.  I understand auto mounting isn't as secure, but I also don't want to be getting tons of calls because users can't access their data.
I had not tried to talk you out of it, yet. We just need to know if you have to fulfill some requirement or if it's just good will. For good will, the NAS encryption can be seen as sufficient.
SundanceRyanAuthor Commented:
Thanks for all the input - I divided points among all who contributed.
Dave HoweSoftware and Hardware EngineerCommented:
yeah. Even EFS will meet a customer requirement of "the data must be encrypted" without actually having to provide any protection for the data :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Legacy OS

From novice to tech pro — start learning today.