Solved

Bitlocker on Server 2008 R2 data volume - simple question I think

Posted on 2014-04-11
2
427 Views
Last Modified: 2014-04-11
We need to meet a requirement that the data on the server is encrypted just so that if someone literally stole the server there would be some safeguards.    I don't know much about Bitlocker - would this work?

It is a simple document management system - database with file repository - assume the sensitive data is only in the repository.

I don't need to encrypt the OS.  So can I encrypt the data (volume or just folders?)  on the "E" drive with bitlocker?  Would this be seamless when booting normally - I think so.  But if someone actually stole the server they would need to log in to the OS to get to the data - if they removed the data drives (and rebuilt the RAID) it would be encrypted.  Does it/can it work this way?  Anyone have things set up like this?
0
Comment
Question by:jsprev
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 55

Accepted Solution

by:
McKnife earned 300 total points
ID: 39994438
Hi.

I have this setup on multiple 2008R2ers.
The question about "seamlessness" is the crucial point. If it has to be automated ("hands free rebootable"), you will have to use either a TPM chip or a script to provide the key.

If your server hardware has a TPM chip, the setup is easy, no need to explain. However, you would need to be aware about attack vectors that remain. Those are called "cold boot attacks" and are illustrated in this video (watch it if your server has a TPM): http://www.youtube.com/watch?v=JDaicPIgn9U

If it hasn't, the way to go is to use a script. The script would use manage-bde.exe (see manage-bde /?) for syntax. It would be triggered by task manager to start on every system start. The script itself would have to be placed on the network share of another device that would be physically secured. If stolen, the script could not be loaded and the drive would stay locked.
0
 

Author Closing Comment

by:jsprev
ID: 39994686
Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question