How do you encrypt data at rest?

Yashy
Yashy used Ask the Experts™
on
hi guys,

If someone asks 'do you encrypt your data at rest'? on a Windows 2012 Fileserver, then how would you implement that? We also have Sophos AV  on all machines in case that helps?

Thanks for helping
Yash
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Something like BitLocker. Encrypting what data exactly?

With SQL you can use SQL Always Encrypted for example
Senior CyberSecurity Engineer
Commented:
I second BitLocker or HDD encryption...with EFS
Search for a few recent discussions we have ha d here this week

Something like BitLocker best practices
https://www.experts-exchange.com/questions/29126620/BitLocker-best-practice.html
ste5anSenior Developer
Commented:
Only software encryption!

Cause some hardware vendors have terribly failed in implementing proper encryption.

EDIT: just some HW fails..

 2012 (Sandforce):
https://techreport.com/news/23096/256-bit-aes-encryption-broken-in-sandforce-ssd-controllers

 2015 (Western Digital):
https://threatpost.com/academics-find-critical-flaws-in-self-encrypting-hardware-drives/115103/

 2018 (Crucial, Samsung):
https://www.heise.de/security/meldung/Daten-von-einigen-selbstverschluesselnden-SSDs-ohne-Passwort-einsehbar-4212191.html
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018
Commented:
If you prefer Sophos, you can use Sophos SafeGuard Enterprise which can manage the keys
David FavorLinux/LXD/WordPress/Hosting Savant
Distinguished Expert 2018
Commented:
At rest data encryption seems easy to accomplish...

Use an encrypted filesystem or use database row or column encryption.

Here's the problem...

Now that your data is encrypted, how you manage + rotate your encryption/decryption keys determines your security.

You data is only secure as your decryption key + strategy.
btanExec Consultant
Distinguished Expert 2018
Commented:
Data at rest is basically
... all data in storage but excludes any data that frequently traverses the network or that which resides in temporary memory. Data at rest includes but is not limited to archived data, data which is not accessed or changed frequently, files stored on hard drives, USB thumb drives, files stored on backup tape and disks, and also files stored off-site or on a storage area network (SAN).
So for windows, Bitlocker for Disk encrypted as the baseline. Next layer of protection at file level, such as use of EFS. OR use Active Directory Rights Management Services (AD RMS) with embedded access rights on top of encryption - tends to add in this for securing more  sensitive information such as health records so that the encryption/rights persists within the file even if leaked.
Commented:
Sounds like someone's asking about PCI compliance. You've already gotten some good answers (BitLocker's quick and easy, and if your'e just concerned about database data, the suggestion about SQL Always Encrypted is a good one), but just in case you're not sure what it MEANS as a concept...

Imagine you have a web application that is rock-solid and REALLY REALLY secure. The code has oodles of layers of security, two-factor authentication, been pen-tested, etc... Now imagine your web application is physically hosted on a server in some network room. It turns out that a disgruntled ex-employee's keycard still works, so at night he goes into the room and steals the server.

Now, the Windows passwords have changed, so he can't log in, so he turns off the PC and pulls out the hard drives and plugs the drives into his own computer.

At this point, he can copy all the data from that connected hard drive without knowing the Windows password. That means he could copy the database and access the data inside.

However, if you have some kind of encryption-at-rest implemented, it means that your data is SAVED in an encrypted form (while it's "resting"), so that even if this hacker guy copied everything from the server, he'd just be copying encrypted data and he wouldn't be able to use it without the decryption key, so that kind of physical attack is rendered useless.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial