• Welcome to Overclockers Forums! Join us to reply in threads, receive reduced ads, and to customize your site experience!

Full Disk Encryption

Overclockers is supported by our readers. When you click a link to make a purchase, we may earn a commission. Learn More.
T

thobel

Member
Joined
May 22, 2010
Location
NYC
Anyone have full disk encryption setup? I'm thinking about setting it up on my Server

1) OC Raid 1 SSD
2) Raid 6 on dedicated raid card

I know for the OS you pretty much get asked for a password when you boot up?

I was wondering with the data volume that HTPC's etc access would you be prompted to login for each file? after it first connects? I'm worried it will become unmanagabe
 
thobel said:
Anyone have full disk encryption setup? I'm thinking about setting it up on my Server

1) OC Raid 1 SSD
2) Raid 6 on dedicated raid card

I know for the OS you pretty much get asked for a password when you boot up?

I was wondering with the data volume that HTPC's etc access would you be prompted to login for each file? after it first connects? I'm worried it will become unmanagabe
Click to expand...

Why would you encrypt a server drive? Its just going to degrade performance on the array. Are you looking for File permissions rather than encryption?

If your looking for File permissions than install server 08 and use the File services role to set that up.
 
realmadrid12 said:
Why would you encrypt a server drive? Its just going to degrade performance on the array. Are you looking for File permissions rather than encryption?

If your looking for File permissions than install server 08 and use the File services role to set that up.
Click to expand...

I want to secure the data on the server?

Its runnig on 2008R2 currently
 
I work as a Sys Engineer for a medical company, we have to be HIPA, FIPA, and 40 other government certified standards. None of our servers have encrypted drives. Why? Because a server room should be in a locked environment with limited access. Now all of our laptops are encrypted. But encrypting your raid array is as close as you can get to shooting your self in the foot. It will drastically reduce performance. The best way to protect against access is a locked room or cabinet. After that comes firewalls, ACLs, vlans, and a proper AD server.

Im not sure what scale you are working with or what this server is doing but there should be no reason to encrypt a server array.

The only time we encrypt server array data is when they get backed up to tape and sent out for storage. EDIT: Only the tapes are encrypted because they are leaving our secured area.
 
Last edited:
^ Sure. The primary reason for full disk encryption would be if you're worried that someone will steal the physical hard disk. That makes sense in a laptop, since they're designed to be portable. But a server with important data should be much easier to secure by conventional means.
 
For the love of god, don't encrypt a RAID array of any kind....

I've dealt with servers and systems with broken, corrupt RAID drives. That data is literally gone if you encrypt it and then have a hardware problem with the hard drive...

Even Truecrypt recommends against encrypting a RAID array.
 
ok...

So lets assume the data I want to make sure NO ONE can recover/access is worth the performance hit and worth losing the data rather then it being accessed/recovered?

as an example: Me humping a pink poodle holding a dozen roses. Some stuff you do not want to have anyone to have access to either via stealing the disks, remote hack etc.
 
So what you're saying is that if something goes wrong, losing data is acceptable? So in exchange for increased security you're willing to lose the data entirely? That makes some sense for some applications. If you have a database of customer credit cards, for example, you could always ask the customers for their card numbers again if something goes wrong, but you never ever want someone else to get them.
 
What is your current setup? is this a home network a business? etc. I cant give much info unless I know that.

The best way to start keeping people off your box is firewalls and secure passwords. If you have those two things set up that will keep most people from gaining access.

Now when it comes to someone physically being able to steal your equipment you will need to put it in a locking server rack: http://www.mobile-tronics.com/kenda...rack-cabinets-w2-ventilated-doors-p-1758.html

And than either bolt it to the floor or make sure the rack cant fit out the door once assembled.

But its really difficult to give you advice without knowing the application.
 
Someone correct me if I'm wrong, but if you want some files or folders to be undetectable/unrecoverable by reasonable means, it may be possible to use Truecrypt to create an encrypted virtual drive instead of trying to encrypt your entire array. I use this setup on my laptop and it contains any sensitive information I have. Unless extreme measures are taken there is no way anyone would even know it's there.
 
realmadrid12 said:
What is your current setup? is this a home network a business? etc. I cant give much info unless I know that.

The best way to start keeping people off your box is firewalls and secure passwords. If you have those two things set up that will keep most people from gaining access.

Now when it comes to someone physically being able to steal your equipment you will need to put it in a locking server rack: http://www.mobile-tronics.com/kenda...rack-cabinets-w2-ventilated-doors-p-1758.html

And than either bolt it to the floor or make sure the rack cant fit out the door once assembled.

But its really difficult to give you advice without knowing the application.
Click to expand...

It's a home server Raid Array is 30TB 15TB used. I'm more worried about physical access to the box. The data is nothing more then media. Lets assume the Movie/MP3 police show up..

Lineman said:
If you want some files or folders to be undetectable/unrecoverable by reasonable means, it may be possible to use Truecrypt to create an encrypted drive instead of trying to encrypt your entire array. I use this setup on my laptop and it contains any sensitive information I have. Unless extreme measures are taken there is no way anyone would even know it's there.
Click to expand...

I can't do one drive because the data is way to big for one drive.
 
This might be a bit extreme, but if your really concerned about the DRM police breaking down the door you could always install some self destruct software. I've talked to one of my professors about this type of application in the past, but I can't remember the company. There are utilities out there that would allow you to wipe your entire array remotely, even from a smart phone. Something kind of like this

http://www.pcworld.com/article/1255...en_laptop_will_selfdestruct_in_5_seconds.html

I'm not going to pretend to know what forensic abilities DoJ, Homeland Security and FBI have at their disposal though, and it's quite possible that even with something like this the data could still be recoverable.
 
thobel said:
It's a home server Raid Array is 30TB 15TB used. I'm more worried about physical access to the box. The data is nothing more then media. Lets assume the Movie/MP3 police show up..



I can't do one drive because the data is way to big for one drive.
Click to expand...

This is your best option: http://technet.microsoft.com/en-us/library/cc875821.aspx

I would not use anything else. This works well, but it is a bit more complicated to setup with a DFS for example but that article is pretty good.

Basically EFS is a built in quality of NTFS, and it can only be accessed by the user who encrypted it or if they have the key(256 AES i believe)

Hope that helps, as this is the best way to get this on a server and is certified by MS and will not hit performance that bad. You can also PM me if you need help but it shouldnt be to bad if youve gotten your server up to this point.

EDIT: I believe you can allow a group perms to access as well. Also keep in mind this does not encrypt the drive! it encrypts selected folders and files.
 
realmadrid12 said:
This is your best option: http://technet.microsoft.com/en-us/library/cc875821.aspx

I would not use anything else. This works well, but it is a bit more complicated to setup with a DFS for example but that article is pretty good.

Basically EFS is a built in quality of NTFS, and it can only be accessed by the user who encrypted it or if they have the key(256 AES i believe)

Hope that helps, as this is the best way to get this on a server and is certified by MS and will not hit performance that bad. You can also PM me if you need help but it shouldnt be to bad if youve gotten your server up to this point.

EDIT: I believe you can allow a group perms to access as well. Also keep in mind this does not encrypt the drive! it encrypts selected folders and files.
Click to expand...

I looked at it but as crazy as this sounds l don't like the idea that the data can be recovered with anything other then the password.
 
thobel said:
I looked at it but as crazy as this sounds l don't like the idea that the data can be recovered with anything other then the password.
Click to expand...

There is no password, it is a key created by the server. The only time a password is made is when you make the recovery cert. After the cert is injected the key is encrypted. The only time you need to use that password is when the server goes down and you need to reconnect that array to another box. Otherwise a cert is assigned to a user to grant access(similar to how kerbos works). Even if the user got there hands on the recovery password (which you wouldnt have out in the open anyways). They would also need the generated recovery file which you would also have stored say on a biometric flash drive ;)

Read more into EFS it will do what you want it to do, I think your just missing a few key points to how the technology works.
 
Not only does this idea sound absolutely absurd, it isn't going to provide feasible protection from "the police". If they want to get the data on the drive, simply saying "oh, I forgot the password, sorry guys" isn't going to get you off the hook. I believe they can hold you in contempt without a limit if they have reasonable suspicion that you know the key. For example, a computer that you use frequently or on a daily basis you would know the password for. This renders your encryption completely useless and sort of goes against you, especially if you give up the key and then they find bad datas.

If someone other than the police wanted the data, it would easier to simply take the data off the running server instead of cracking the encryption. If the server is running, the drives are effectively unlocked, which defeats the purpose of the encryption. The only encryption will come into play is if they get all the hard drives that are in the RAID array, the same controller (or they just take the whole server) and it was powered down. But, if a random burglar is going to break into your house, the server is going to be at the bottom of their target list. They want items that they know they can sell, and this thing that sounds like a vacuum and has blinky lights over it does not fit that description. This renders your encryption useless because it is scenario that will never happen. If the person wants your data and they know computers enough, they'd just break in with other methods (i.e. internet).

And if it is really just movies like you state, who is going to go through all that trouble when they can get it through other means? Bottom line, encryption for this is completely useless, infeasible and going to create a hell of a lot bigger headache than it is going to solve. You either are leaving out a huge portion of this story or are overly paranoid. If the data is that bad, just wipe the damn thing.

Encryption is very good in mobile devices, like laptops or cell phones. The chances of that being stolen is infinity larger than someone breaking into your home with the intention of stealing whatever information you have on your RAID array and having the knowledge to get access to said data.

Not to be rude here, but do you get where I'm going with this?

EDIT: Unless we are talking mob-level/multi-million dollar stuff here, in which case my entire post is useless, and you have a right to be paranoid. Also, I want a cut of whatever you are making.
 
With EFS the folders are not unlocked unless they are being used or accessed other wise they are locked. The only way to open them would be with the proper cert. Can you break that? sure but good luck.

Secondly I agree this is absolutely insane as even my multimillion dollar datacenter does not use Server side encryption. But we do use bullet proof doors and re-bar enforce concrete. Im just trying to give a solution to what he wants do I think its needed not even in the slightest. Because if you have something to hide well than your doing something wrong. (at least in a home network).

As i said before:
1) protect against physical access
2) protect via firewall and strong passwords

do those two things and you will have your things protected enough for a home network. If you really want it encrypted than go ahead.

thideras: I believe with the police forcing you to give up a password, even if it is copyrighted data if your drive is encrypted it is secured for a reason. Maybe with a search warrant there can be some room there but there would need to be evidence. We actually had an issue a few months ago where someone got in some type of trouble and the police needed access to a employees HDD and we did not grant them access to the drive due to sensitive data, it even went to court and they still didnt get access. Now this guy didnt kill anyone or anything crazy but still It would need to be a pretty severe crime for them to do something like that. just my own .02 though :screwy:

Sorry for the long post :blah:
 
I apologize for the confusion. My post was not responding to anything you had said.
 
I actually think I've read a few guides dealing with this particular situation, and how to avoid higher authorities (FBI/police) from gaining access to your data.

However, this was in context of accessing the deep web, so I'd rather have a mod's approval before linking.
 
You must log in or register to reply here.

Similar threads

techiemon
HDD Disk 0 Unknown Not initialized Problem after forced reboot, Help!
Replies
14
Views
705
knoober
knoober
Al_bundy
Alucryl - 3DFX - CNC - Retro pc
Replies
2
Views
375
EarthDog
EarthDog
mackerel
Software to benchmark ram speeds through whole range
Replies
2
Views
487
mackerel
mackerel
WhitehawkEQ
Using V7 client & HFM for remote monitoring.
Replies
3
Views
600
WhitehawkEQ
WhitehawkEQ
Tyerker
Screwed up an attempted dual install (kind of)
Replies
2
Views
701
Tyerker
Tyerker
Back