• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1065
  • Last Modified:

Encryption on Servers and RAID 5

Hi
I have a Server running MS 2008 R2 which has 3 SAS hard disks configured for RAID 5 on a Perc Controller.

These are obviously showing as 1 virtual disk split into a C: and D: drive. I am thinking of encrypting the data on the D: drive using Bitlocker. Will this work across a RAID array and is there a downside?

Also as a general question if all the disks were stolen from the Server (ie removed from the bays) what data would a person be able to see if they plugged each disk into a server as an external device and would a specialist recovery company be able to access the files?

Thanks
0
JayHine
Asked:
JayHine
  • 4
  • 3
  • 2
  • +2
2 Solutions
 
DavidCommented:
The RAID controller just reads/writes X blocks at location Y.  It is blissfully unaware of logical drives or file systems.
A data recovery person would see unencrypted data for blocks 0-n, encrypted data for blocks n+1 -> end of drive, where n is the logical block number where logical drive D begins.

Pretend this question is for a single HDD you are splitting, take the RAID out of the equation to wrap your arms around what I wrote.
0
 
JayHineAuthor Commented:
Thanks for the answer.

 Just to clarify then, there is no reason not to use Bitlocker and as it sees the virtual drive there will be no issues and if I leave the data un-encrypted a recovery person could access the data on any single drive?
0
 
McKnifeCommented:
And who would enter the key? Or would you use a TPM?
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Rich RumbleSecurity SamuraiCommented:
Bitlocker is a poor choice, as McKnife points out, however you are wanting to use it on the D: drive, nonetheless someone has to enter something to decrypt it. As far as what someone else would see, they'd have to steal the entire array, or be able to put the drives in the correct arrangement and re-create the raid before they could even attempt to read the drives. The encryption is at the NTFS level, so if they managed to do that, all they'd see is a bitlocker drive and need to enter in the recovery key.

Server encryption isn't really done much as far as entire drives. The server are supposed to be physically protected first, and that's why you don't see servers encrypted at the HDD level. Laptops it makes more sense, because the likelihood of physical theft is much higher. Bitlocker, TrueCrypt, FDE in general only protects you from physical theft. Read my article here: http://www.experts-exchange.com/Security/Encryption/A_12134-Choosing-the-right-encryption-for-your-needs.html
-rich
0
 
DavidCommented:
I have no idea on the key, I would check the docmentation.  Bitlocker certainly works on LSI RAID and partitions, but there are rules and procedures that vary slightly on each flavor of windows.    But do remember the PERC 5 is LSI card but not LSI firmware.

It is LSI card with Dell firmware.  99% the same, but not 100%.   This is a question best asked to the dell support community.
0
 
Natty GregIn Theory (IT)Commented:
With all that is said above, no encryption on server necessary, have server physically secured. Or you can pay to host your server in the cloud where you and everyone else  do not know where the physical server is
0
 
McKnifeCommented:
"Bitlocker is a poor choice, as McKnife points out" - I did not do anything like this. BL is no poor choice for sure.
Let me add that there are ways to secure a server even when it's not physically secured AND also have the key entered automatically. We could for example use a scheduled task that points to an unlocking batch file on some other server (secured elsewhere). When that encrypted server gets stolen and the thief boots it, the batch will not be accessible and d: would stay locked.
0
 
JayHineAuthor Commented:
Thanks to everyone for the replies. I think that probably encrypting the data on the server is unnecessary but we have been asked to look into it.

The thing I am still a little unsure of, as I didnt completely understand the very first reply, is that if by any chance someone gained access to the server and removed the individual disks from the server how much data would they see? Obviously the RAID has been broken so it would be what is visible on the actual disk.
Thanks for any clarification.
0
 
McKnifeCommented:
Removing the disks will not break the RAID. The raid will exist as long as it is handled with care and attached to the same controller model or model successor and then, whole d: would be accessible.
0
 
JayHineAuthor Commented:
but if the server was left in the server room and the disks were removed and taken away (ie stolen) what data would be visible on the drives if someone looked at the disks?
0
 
Rich RumbleSecurity SamuraiCommented:
Raid is not that tough to reconstruct on another machine, but the order of the discs is important. Let's assume they have done so, which is the path of most resistance btw, they would take the entire enclosure and save some headache there in real life...Either way, the raided drives are readable, but beyond the NTFS headers, if the entire volume was encrypted, they'd have to supply the decryption key to gain access. It's no different than a LT drive or a secondary drive, reconstructing the raid is a pain, but do-able, other than that all the same rules apply. Raid is below the encryption, and as stated above, neither know about the other, the encryption see's a volume and encrypts it. The Raid see's drives and creates a volume, that is all.
The best way to read encrypted drives is to not turn them off. If I were to steal a server, and I found that it was encrypted, I'd stop right there unless there was some extreme, very extreme financial gains to be had.
Encrypting server HDD's does not make you compliant with any US or European law or statute I am aware of. There are ones for Mobile, but not server. Encrypting data on servers should be done at file and database levels rather than the OS or Drive level. Again read my article to see what that is.
-rich
0
 
McKnifeCommented:
Again: the raid does not matter here. If the unencrypted drives are stolen, all data might be accessed unless the thieves have no idea what they hold.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 4
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now