Exchange 2013 Encrypt Databases and Logs

Posted on 2016-08-10
Last Modified: 2016-08-11
We are going to be upgrading to Exchange 2013 SP1 and our security team has asked us to look at encrypting the Exchange Databases and its logs.  I found an article saying its possible but does not go into how its done.  Has anyone done this?  What are the pros and cons?  Thanks!
Question by:Sedgwick_County
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
LVL 55

Expert Comment

ID: 41751119
Bitlocking the server would normally suffice. Does the server have a tpm chip? Please find out.
LVL 41

Accepted Solution

Adam Brown earned 250 total points
ID: 41751224
You'll want to use whole-disk encryption on the disk holding the database. Bitlocker is probably the simplest solution, and doesn't require third party software running to function. It doesn't *require* a TPM chip, but using it without one reduces security a good bit (System integrity checks to determine if the drive is in a new computer isn't available without TPM).

You can also use third party whole disk encryption solutions, but those must be running for the Exchange Database/logs to be accessible to the OS.

The pros of whole disk encryption with Exchange are that your database can't be read without authorization. If someone can get into the server with a valid username and password while the server is running and the disk is decrypted, they can still read the database. Outside of that specific scenario, it's not possible to read anything from the database or logs. Of course, if you have that scenario going on, you have bigger problems.

The con is a pretty significant performance hit. Drive read and write speed will be slower once things are encrypted because everything has to be encrypted when written and decrypted when read. You will probably notice slower performance after encrypting the database and logs drive. Your users may notice that OWA and Outlook access is slower as well. This performance hit can be mitigated by adding RAM, since Exchange keeps a significant chunk of the Database in RAM. Performance immediately following a reboot of the Exchange server will be much slower than it will be after the server has been running for a couple days, since all the recently received and accessed data in user mailboxes is what gets cached in RAM, which can't be encrypted, but is extremely difficult to access without valid credentials.

Third party encryption solutions take up additional resources and will slow things down more that using bitlocker.

Instructions for bitlocker on Server 2008:
Instructions for bitlocker on Server 2012:
LVL 55

Assisted Solution

McKnife earned 250 total points
ID: 41751554
I did not go into detail like Adam did and here's why: we need to know if there's a tpm chip. No, it's not that bitlocker cannot do without. It's more that you don't want to do without. Think about server restarts (scheduled updates, restarts, crashes) - who will enter the key? The tpm could do that for you, so only with a tpm chip, bitlocker can be used "hands free."

Author Comment

ID: 41752221
Thank you both for the answers!  It has given me a lot ot think about.  To answer your question, no they do  not have a TPM chip in them.  We also do not want a huge impact to performace.  So I think this will be put on the back burner.  Thank you both again for the quick responses.
LVL 55

Expert Comment

ID: 41752426
The impact to performance is not huge. Please do performance tests yourself since it depends on how we use the file system.
Also please note that many server mainboards have a so called tpm header that can be armed with a tpm anytime. Its costs depend on the brand, it might be up to 80 USD.

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question