Announcement

Collapse
No announcement yet.

Security: Bitlocker on WHS2011

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Security: Bitlocker on WHS2011

    So here is the thing:
    1. I have a WHS2011 Server. It is located in a place where it will not be easily found in case of a break in.
    2. I run backups and the backup drives are rotated offsite.
    3. I have two clients that are used by my wife (and her employee). These are fully encrypted using Truecrypt so the information should be relatively safe in case of theft.
    4. However, other than the mail files (1 .pst and 1 thunderbird), all sensitive data is on the server. All other data (my own, movies/music etc, kids), except for my own SQL Server databases are on the server as well.
    5. I want to swap out the HDDs on my wife's company's computers for SSDs, not use truecrypt anymore and, hence, move the mailfiles to the server. This, I think, I can do (just hope .pst and thunderbird profiles can be stored/used on a share on the server which has, on their computers, a drive letter through Map Network Location.

    My issue is this: the server is unencrypted. I'm protected reasonably well against fire etc. through the offsite backups but not against theft through which sensitive data might be exposed.

    What I would like is this:
    A. Fully encrypt the Server with BitLocker (or TrueCrypt)
    B. Ensure that the backupdrives, which are rotating offsite, are encrypted as well.
    C. Have the Server be up and running without intervention after a reboot.

    I believe C can be achieved by having a key stored on an USB stick that is connected to the Server. On itself, this would make it unsecure as a thief would have the key but there is a workaround for this: I would connect the usb-stick through a USB cable where the USB stick would be fixed and reside below the floor. They can get the Server alright but to get the key a thief would have to go under the house. It's all doable but it'll take a bit of effort that a common thief is not likely to exert. The probability of anyone targetting the information is (very) small. I just want to be able to say we've taken reasonable efforts to protect personal information.

    Is all this done easily? I've seen one piece of information where the instruction was to assign a drive letter to the backup drive and then have the server encrypt it (that is a bitlocker case) but AFAIK, as long as one assigns a drive letter to a drive, WHS Server Backup does not see the drive as a server backup drive.

    Moreover, I use Stablebit DrivePool and it'll need to work with this too (which I think it simply will).
    Join MURCs Distributed Computing effort for Rosetta@Home and help fight Alzheimers, Cancer, Mad Cow disease and rising oil prices.
    [...]the pervading principle and abiding test of good breeding is the requirement of a substantial and patent waste of time. - Veblen
Working...
X