[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Bitlocker on Server 2008 R2 data volume - simple question I think

Posted on 2014-04-11
2
Medium Priority
?
437 Views
Last Modified: 2014-04-11
We need to meet a requirement that the data on the server is encrypted just so that if someone literally stole the server there would be some safeguards.    I don't know much about Bitlocker - would this work?

It is a simple document management system - database with file repository - assume the sensitive data is only in the repository.

I don't need to encrypt the OS.  So can I encrypt the data (volume or just folders?)  on the "E" drive with bitlocker?  Would this be seamless when booting normally - I think so.  But if someone actually stole the server they would need to log in to the OS to get to the data - if they removed the data drives (and rebuilt the RAID) it would be encrypted.  Does it/can it work this way?  Anyone have things set up like this?
0
Comment
Question by:jsprev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 56

Accepted Solution

by:
McKnife earned 1200 total points
ID: 39994438
Hi.

I have this setup on multiple 2008R2ers.
The question about "seamlessness" is the crucial point. If it has to be automated ("hands free rebootable"), you will have to use either a TPM chip or a script to provide the key.

If your server hardware has a TPM chip, the setup is easy, no need to explain. However, you would need to be aware about attack vectors that remain. Those are called "cold boot attacks" and are illustrated in this video (watch it if your server has a TPM): http://www.youtube.com/watch?v=JDaicPIgn9U

If it hasn't, the way to go is to use a script. The script would use manage-bde.exe (see manage-bde /?) for syntax. It would be triggered by task manager to start on every system start. The script itself would have to be placed on the network share of another device that would be physically secured. If stolen, the script could not be loaded and the drive would stay locked.
0
 

Author Closing Comment

by:jsprev
ID: 39994686
Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Businesses who process credit card payments have to adhere to PCI Compliance standards. Here’s why that’s important.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question