Exchange 2013 Encrypt Databases and Logs

Posted on 2016-08-10
Last Modified: 2016-08-11
We are going to be upgrading to Exchange 2013 SP1 and our security team has asked us to look at encrypting the Exchange Databases and its logs.  I found an article saying its possible but does not go into how its done.  Has anyone done this?  What are the pros and cons?  Thanks!
Question by:Sedgwick_County
  • 3
LVL 53

Expert Comment

ID: 41751119
Bitlocking the server would normally suffice. Does the server have a tpm chip? Please find out.
LVL 38

Accepted Solution

Adam Brown earned 250 total points
ID: 41751224
You'll want to use whole-disk encryption on the disk holding the database. Bitlocker is probably the simplest solution, and doesn't require third party software running to function. It doesn't *require* a TPM chip, but using it without one reduces security a good bit (System integrity checks to determine if the drive is in a new computer isn't available without TPM).

You can also use third party whole disk encryption solutions, but those must be running for the Exchange Database/logs to be accessible to the OS.

The pros of whole disk encryption with Exchange are that your database can't be read without authorization. If someone can get into the server with a valid username and password while the server is running and the disk is decrypted, they can still read the database. Outside of that specific scenario, it's not possible to read anything from the database or logs. Of course, if you have that scenario going on, you have bigger problems.

The con is a pretty significant performance hit. Drive read and write speed will be slower once things are encrypted because everything has to be encrypted when written and decrypted when read. You will probably notice slower performance after encrypting the database and logs drive. Your users may notice that OWA and Outlook access is slower as well. This performance hit can be mitigated by adding RAM, since Exchange keeps a significant chunk of the Database in RAM. Performance immediately following a reboot of the Exchange server will be much slower than it will be after the server has been running for a couple days, since all the recently received and accessed data in user mailboxes is what gets cached in RAM, which can't be encrypted, but is extremely difficult to access without valid credentials.

Third party encryption solutions take up additional resources and will slow things down more that using bitlocker.

Instructions for bitlocker on Server 2008:
Instructions for bitlocker on Server 2012:
LVL 53

Assisted Solution

McKnife earned 250 total points
ID: 41751554
I did not go into detail like Adam did and here's why: we need to know if there's a tpm chip. No, it's not that bitlocker cannot do without. It's more that you don't want to do without. Think about server restarts (scheduled updates, restarts, crashes) - who will enter the key? The tpm could do that for you, so only with a tpm chip, bitlocker can be used "hands free."

Author Comment

ID: 41752221
Thank you both for the answers!  It has given me a lot ot think about.  To answer your question, no they do  not have a TPM chip in them.  We also do not want a huge impact to performace.  So I think this will be put on the back burner.  Thank you both again for the quick responses.
LVL 53

Expert Comment

ID: 41752426
The impact to performance is not huge. Please do performance tests yourself since it depends on how we use the file system.
Also please note that many server mainboards have a so called tpm header that can be armed with a tpm anytime. Its costs depend on the brand, it might be up to 80 USD.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video discusses moving either the default database or any database to a new volume.

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now