Jump to content
RESET Forums (homeservershow.com)

Full drive encryption?


scottbakertemp
 Share

Recommended Posts

I'm trying to come up with a way of keeping my user data and photos safe even if someone was to come in and steal all my PC's. I have lots of media and software on my WHS as well but that's not a big deal if some one steals that.

 

Currently my data is all stored on a mediasmart WHS v1, but I'll be upgrading to a DIY WHS 2011 box later this year.

 

My best theoretical solution is this:

- Have the WHS data drives encrypted so if someone removes them the data would be inaccessible (does full drive encryption even do this?)

- Have a power shell script or something (running on the WHS) that changes my user directory passwords daily based on the date or something. Maybe this part wouldn't be necessary if I turn off the auto log on feature on every PC in the house - I'm not sure.

 

What do you guys think? Are there any glaring holes in my strategy? Is this even possible? I have a DIY off site backup solution and I'll need to implement the same thing there as well.

 

thanks,

-Scott Baker

Edited by scottbakertemp
Link to comment
Share on other sites

  • Replies 54
  • Created
  • Last Reply

Top Posters In This Topic

  • scottbakertemp

    15

  • jmwills

    12

  • jeffla

    7

  • ikon

    17

You should contact the developer of the SMART addin. He has been working with bitlocker.

Link to comment
Share on other sites

thanks Diehard - I'll test this out in a SBS 2011 trial VM.

 

I'll report back on my findings.

Link to comment
Share on other sites

I can answer one of the questions. Yes, full drive encryption makes it virtually impossible for anyone to retrieve your data. Please note: I am not saying this will work in WHS2011. I don't know the answer to that, but, I do know that good drive encryption scrambles all the data on the drive.

Link to comment
Share on other sites

Certainly whole drive encryption will work and my employer uses it, however, unless you have an offsite copy of your data, what good is all the protection?

Link to comment
Share on other sites

Certainly whole drive encryption will work and my employer uses it, however, unless you have an offsite copy of your data, what good is all the protection?

 

I already have an off site backup solution.

Link to comment
Share on other sites

Diehard is right - I've been working with BitLocker since I first got my hands on it when Windows Vista was still in beta.

 

My Home Server SMART 2012 add-in has BitLocker management capabilities. If you install the add-in and go to the BitLocker tab, it'll tell you if the BitLocker feature is enabled. If it's not, click the enable button provided, accept the confirmation and then reboot your server when instructed (enabling of BitLocker causes Windows to install a driver requiring a reboot).

 

If your server has a Trusted Platform Module, you can encrypt your system volume and all of your other disks right away. Chances are this is not the case, however, so some group policy changes are needed to allow encryption of the system disk w/o a TPM. You'll need a flash drive so BitLocker can write the startup key.

 

You can also encrypt all of the data volumes, whether they're SATA, eSATA, PATA, SCSI, USB or FireWire. If you've encrypted the system volume, you can enable the volumes to automatically unlock at boot time. There is a "gotcha" here, though. The auto-unlock works automatically for SATA, eSATA, PATA and SCSI only, since BitLocker sees these as "fixed data volumes" (FDV). USB and FireWire disks are seen by BitLocker as "roaming data volumes" (RDV), and they will only unlock once the user that enabled auto-unlock logs in. It is for this very reason I wrote a "helper service" for disk pool users (StableBit and Drive Bender) that auto-unlocks USB/FireWire automatically at boot time and delays the start of the pooling service until the unlock is complete. Otherwise the disk pool would fail to start because the disks would remain locked until the user logged in.

 

If someone rips off your server and the flash drive, then the server will be bootable. However, without a password they can't get very far, so chances are they'll yank out the drives and plug them in elsewhere, in which case they will be completely unreadable without the key.

 

Years ago at work there was a slogan on posters promoting security that said "security - it's everyone's responsibility." This is now my tagline, and I encrypt ALL of my hard drives and ALL of my SSDs. The sole exception is my wife's laptop; I haven't been able to sell her on security yet. Her thought is since we don't "live in the 'hood," there's nothing to worry about. Plus one time when her laptop was encrypted she went somewhere and forgot the flash drive... :(

Link to comment
Share on other sites

Thanks for all the great responses. I think I'm going to do the following:

Ensure all the clients in the house do NOT auto log in (except HTPC) including RDP connections and VMs.

 

My offsite backup PC and my HTPC are my 2 backup copies of all my server data. I'm working on creating truecrypt file containers on each that I can mount and backup user data from the server.

 

As for my server I'll have to wait until the finance committee approves a new WHS 2011 build later this year and then I'll use bitlocker to encrypt one of the drives. I still may try the idea of having a powershell script change the user log in passwords on the 2011 server - but I'm not sure that's necessary.

 

thanks again,

-Scott Baker

Link to comment
Share on other sites

  • 3 weeks later...

I finally got around to testing this. I set up Windows Home Server 2011 on a virtual box VM and an old core 2 duo PC. I tried setting up bitlocker manually and by using the SMART add in.

 

Just like

HSS Pro said I was told I need to encrypt the system volume to auto unlock another drive. However when I tried to do this I get a no TPM found error.

 

 

Any ideas? Do I need a special type of thumb drive or something?

Edited by scottbakertemp
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...