How do you encrypt data at rest?

hi guys,

If someone asks 'do you encrypt your data at rest'? on a Windows 2012 Fileserver, then how would you implement that? We also have Sophos AV  on all machines in case that helps?

Thanks for helping
Yash
LVL 1
YashyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Shaun VermaakTechnical SpecialistCommented:
Something like BitLocker. Encrypting what data exactly?

With SQL you can use SQL Always Encrypted for example
DarinTCHSenior CyberSecurity EngineerCommented:
I second BitLocker or HDD encryption...with EFS
Search for a few recent discussions we have ha d here this week

Something like BitLocker best practices
https://www.experts-exchange.com/questions/29126620/BitLocker-best-practice.html

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ste5anSenior DeveloperCommented:
Only software encryption!

Cause some hardware vendors have terribly failed in implementing proper encryption.

EDIT: just some HW fails..

 2012 (Sandforce):
https://techreport.com/news/23096/256-bit-aes-encryption-broken-in-sandforce-ssd-controllers

 2015 (Western Digital):
https://threatpost.com/academics-find-critical-flaws-in-self-encrypting-hardware-drives/115103/

 2018 (Crucial, Samsung):
https://www.heise.de/security/meldung/Daten-von-einigen-selbstverschluesselnden-SSDs-ohne-Passwort-einsehbar-4212191.html
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Shaun VermaakTechnical SpecialistCommented:
If you prefer Sophos, you can use Sophos SafeGuard Enterprise which can manage the keys
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
At rest data encryption seems easy to accomplish...

Use an encrypted filesystem or use database row or column encryption.

Here's the problem...

Now that your data is encrypted, how you manage + rotate your encryption/decryption keys determines your security.

You data is only secure as your decryption key + strategy.
btanExec ConsultantCommented:
Data at rest is basically
... all data in storage but excludes any data that frequently traverses the network or that which resides in temporary memory. Data at rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and also files stored off-site or on a storage area network (SAN).
So for windows, Bitlocker for Disk encrypted as the baseline. Next layer of protection at file level, such as use of EFS. OR use Active Directory Rights Management Services (AD RMS) with embedded access rights on top of encryption - tends to add in this for securing more  sensitive information such as health records so that the encryption/rights persists within the file even if leaked.
gr8gonzoConsultantCommented:
Sounds like someone's asking about PCI compliance. You've already gotten some good answers (BitLocker's quick and easy, and if your'e just concerned about database data, the suggestion about SQL Always Encrypted is a good one), but just in case you're not sure what it MEANS as a concept...

Imagine you have a web application that is rock-solid and REALLY REALLY secure. The code has oodles of layers of security, two-factor authentication, been pen-tested, etc... Now imagine your web application is physically hosted on a server in some network room. It turns out that a disgruntled ex-employee's keycard still works, so at night he goes into the room and steals the server.

Now, the Windows passwords have changed, so he can't log in, so he turns off the PC and pulls out the hard drives and plugs the drives into his own computer.

At this point, he can copy all the data from that connected hard drive without knowing the Windows password. That means he could copy the database and access the data inside.

However, if you have some kind of encryption-at-rest implemented, it means that your data is SAVED in an encrypted form (while it's "resting"), so that even if this hacker guy copied everything from the server, he'd just be copying encrypted data and he wouldn't be able to use it without the decryption key, so that kind of physical attack is rendered useless.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Encryption

From novice to tech pro — start learning today.