Exchange 2013 Encrypt Databases and Logs

We are going to be upgrading to Exchange 2013 SP1 and our security team has asked us to look at encrypting the Exchange Databases and its logs.  I found an article saying its possible but does not go into how its done.  Has anyone done this?  What are the pros and cons?  Thanks!
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
You'll want to use whole-disk encryption on the disk holding the database. Bitlocker is probably the simplest solution, and doesn't require third party software running to function. It doesn't *require* a TPM chip, but using it without one reduces security a good bit (System integrity checks to determine if the drive is in a new computer isn't available without TPM).

You can also use third party whole disk encryption solutions, but those must be running for the Exchange Database/logs to be accessible to the OS.

The pros of whole disk encryption with Exchange are that your database can't be read without authorization. If someone can get into the server with a valid username and password while the server is running and the disk is decrypted, they can still read the database. Outside of that specific scenario, it's not possible to read anything from the database or logs. Of course, if you have that scenario going on, you have bigger problems.

The con is a pretty significant performance hit. Drive read and write speed will be slower once things are encrypted because everything has to be encrypted when written and decrypted when read. You will probably notice slower performance after encrypting the database and logs drive. Your users may notice that OWA and Outlook access is slower as well. This performance hit can be mitigated by adding RAM, since Exchange keeps a significant chunk of the Database in RAM. Performance immediately following a reboot of the Exchange server will be much slower than it will be after the server has been running for a couple days, since all the recently received and accessed data in user mailboxes is what gets cached in RAM, which can't be encrypted, but is extremely difficult to access without valid credentials.

Third party encryption solutions take up additional resources and will slow things down more that using bitlocker.

Instructions for bitlocker on Server 2008:
Instructions for bitlocker on Server 2012:
Bitlocking the server would normally suffice. Does the server have a tpm chip? Please find out.
McKnifeConnect With a Mentor Commented:
I did not go into detail like Adam did and here's why: we need to know if there's a tpm chip. No, it's not that bitlocker cannot do without. It's more that you don't want to do without. Think about server restarts (scheduled updates, restarts, crashes) - who will enter the key? The tpm could do that for you, so only with a tpm chip, bitlocker can be used "hands free."
Sedgwick_CountyAuthor Commented:
Thank you both for the answers!  It has given me a lot ot think about.  To answer your question, no they do  not have a TPM chip in them.  We also do not want a huge impact to performace.  So I think this will be put on the back burner.  Thank you both again for the quick responses.
The impact to performance is not huge. Please do performance tests yourself since it depends on how we use the file system.
Also please note that many server mainboards have a so called tpm header that can be armed with a tpm anytime. Its costs depend on the brand, it might be up to 80 USD.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.