Solved

Data Encryption on External Drives

Posted on 2014-01-13
11
446 Views
Last Modified: 2014-03-15
Hello - Need to find an affordable / practical solution to encrypt data on external drives that may be plugged into a Win 2008 Server.

Symantec offers a product called 'Drive Encryption' but to run it on a SERVER it costs $2500 (as opposed to the DESKTOP version of 'Drive Encryption' which is $110 per desktop.)

So having to buy the SERVER version seems like overkill, as I do NOT want to encrypt the server Hard Drives at all - just the 2 external Hard drives that are plugged into the Server....

Since the DESKTOP version of that software seemed more like the way to go, I actually went to the extent (on my test 2008 server) to spin up a Windows 7 instance within Hyper-V on my 2008 Test Server - only to find that Hyper-V doesnt really support external hard drives (meaning they wouldn't show up when plugged in - and couldnt find a way to 'Mount' an external drive in the Virtual Instance so it showed up as the F:\ drive for instance.)

My thoughts were to install the Symantec encryption product within the Win 7 instance, then apply the encryption on the 2 externals drives that way....seemed to be a pretty slick (albeit an overly complicated) approach - but again, once I found out that external drives dont show up in the Virtual Win 7 instance - that approach came to a screeching halt.

Any thoughts on how to do this in an affordable / practical fashion?
0
Comment
Question by:teks14
  • 4
  • 4
  • 3
11 Comments
 
LVL 80

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 166 total points
ID: 39778182
Bitlocker and Truecrypt come immediately to mind
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 334 total points
ID: 39780272
Yes, Bitlocker is even built-in.
Before you proceed, please take a minute to think about this:
Encrypted drives need someone to enter the key before they can be used - is that possible at your server or would that need to be automated? Also think of the danger of restarts (scheduled updates and BSODs) at night when no one is around - automation needed - or?
0
 

Author Comment

by:teks14
ID: 39787341
re: McKnife

That is exactly why I'm perplexed - because if I encrypt the external drive, and it is being used as the drive that the nightly backups are written to - is the backup going to fail every night because it could not write the backup file to the external 'encrypted' hard drive?
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39787489
once the drive is mounted it will stay mounted until the computer is reset, you can have the drives automount (bitlocker using tpm) or truecrypt
0
 

Author Comment

by:teks14
ID: 39787536
re: David Johnson, CD, MVP - so encrypt the external drive, mount it - it will now act as a normal drive (albeit an encrypted one) and the backups should write to the external as normal - when the system (that the drive is connected to) reboots - I will be prompted to authenticate, or satisfy the passphrase or key for the encrypted drive (until it is rebooted again) - does that sound about right?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39787547
Sounds right.. though you can configure the drives to auto-mount on boot
0
 

Author Comment

by:teks14
ID: 39787556
Yeah I do see the Auto-mount feature in the Truecrypt that you mentioned earlier - I can see that coming in handy.

So if I were to take the external drive offsite to update some of the files that resided on the encrypted external drive, what would I face when attempting to:

1.) Connect the External drive to a different PC
2.) open / update the file

I'm assuming that I would just be prompted for the encryption key in each of the above mentioned scenarios?
0
 
LVL 80

Expert Comment

by:David Johnson, CD, MVP
ID: 39787584
correct you will need the encryption keys
0
 
LVL 54

Accepted Solution

by:
McKnife earned 334 total points
ID: 39787738
Auto-mounting is defeating security of course. It should only be used in some use cases.
It would be better here to have a second computer that is physically secured and serves the encryption key via Network - this is what we do with our servers.
The "key server" ("KS") is in a secured room, the encrypted servers (ES) are not. The ES have encrypted data partitions that mount by reading a keyfile from a share of the KS. Afterwards, their services that use data from that partition are started by a script.
Truycrypt and disk cryptor both offer this, while Bitlocker just started to offer this with server 2012 (called "netunlock").
0
 

Author Closing Comment

by:teks14
ID: 39931407
While I setup TrueCrypt and tested FIRST, ultimately I noticed that the External HD's had built-in data backup encryption - so I wound up using that
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39931421
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I previously wrote an article addressing the use of UBCD4WIN and SARDU. All are great, but I have always been an advocate of SARDU. Recently it was suggested that I go back and take a look at Easy2Boot in comparison.
Finding original email is quite difficult due to their duplicates. From this article, you will come to know why multiple duplicates of same emails appear and how to delete duplicate emails from Outlook securely and instantly while vital emails remai…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question