[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

Bitlocker on Server 2008 R2 data volume - simple question I think

We need to meet a requirement that the data on the server is encrypted just so that if someone literally stole the server there would be some safeguards.    I don't know much about Bitlocker - would this work?

It is a simple document management system - database with file repository - assume the sensitive data is only in the repository.

I don't need to encrypt the OS.  So can I encrypt the data (volume or just folders?)  on the "E" drive with bitlocker?  Would this be seamless when booting normally - I think so.  But if someone actually stole the server they would need to log in to the OS to get to the data - if they removed the data drives (and rebuilt the RAID) it would be encrypted.  Does it/can it work this way?  Anyone have things set up like this?
0
jsprev
Asked:
jsprev
1 Solution
 
McKnifeCommented:
Hi.

I have this setup on multiple 2008R2ers.
The question about "seamlessness" is the crucial point. If it has to be automated ("hands free rebootable"), you will have to use either a TPM chip or a script to provide the key.

If your server hardware has a TPM chip, the setup is easy, no need to explain. However, you would need to be aware about attack vectors that remain. Those are called "cold boot attacks" and are illustrated in this video (watch it if your server has a TPM): http://www.youtube.com/watch?v=JDaicPIgn9U

If it hasn't, the way to go is to use a script. The script would use manage-bde.exe (see manage-bde /?) for syntax. It would be triggered by task manager to start on every system start. The script itself would have to be placed on the network share of another device that would be physically secured. If stolen, the script could not be loaded and the drive would stay locked.
0
 
jsprevAuthor Commented:
Thanks!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now