Jump to content
RESET Forums (homeservershow.com)

impacts of encryption on server restoration?


nrf
 Share

Recommended Posts

I've been considering adding encryption to my "server 2012r2 update with essentials experience role" system, but I am wondering how it would affect my ability to restore the server after a failure. The simplest form of encryption would be to turn bitlocker on for c: and any simple volumes. But what happens if I need to do a bare metal server restore? 

 

it seems I can restore c: by formatting and normal restore assuming the server backup drive is not encrypted, then turn on bitlocker again.

but what if I also had bitlocker on for the backup drive? do I have to make some specialized recovery disk?

 

inquiring minds want to know :)

 

thanks!

 

nrf

Edited by nrf
Link to comment
Share on other sites

I thought WSB backs up the C: drive unencrypted, even if you have BitLocker enabled on C:.

 

I suspect you will not be allowed to enable BitLocker on the dedicated WSB drive(s).

Link to comment
Share on other sites

I'm getting the hint here of 'do not bother to encrypt c:', I can live with that. but if I encrypt drives with my personal documents, I'd like the backup drive to be protected too. It doesn't look like wsb would let me have one backup drive for c: and another for the rest of the drives...

Edited by nrf
Link to comment
Share on other sites

I just did a little bit of research on BitLocker and it has more features than I remember. I think you should do some research on it. I found this article that seems pretty straight forward (some of them are rather convoluted): http://www.poweradmin.com/blog/encrypting-your-hard-drive-using-bitlocker-drive-encryption/

 

According to this article (https://technet.microsoft.com/en-us/library/hh228214.aspx) you can use encrypted WSB backup drives. The trick apparently is that, in order to do a Restore, you have to decrypt the backup drive before doing the Restore. The article talks about decrypting the drive by attaching it to a client computer that has BitLocker enabled, but the article author may have been assuming the server is toast, so it can't be used to decrypt the drive. The article is also about WHS2011 so I'm not sure if all the instructions would apply to WSE2012R2.

 

This article (https://technet.microsoft.com/en-us/library/dn306081.aspx) talks about changes to BitLocker in WS2012R2.

Link to comment
Share on other sites

sounds like I can accomplish this then. given bitlocker's refusal to work with software raid...

  • veracrypt the software raid volume
  • bitlocker the wsb drive(s)

or for simplicity's sake I could use veracrypt all around

in the unlikely event of needing to bare metal restore the server, I would have

some extra steps decrypting. so far I have not had to do it in my several years

with home servers. Clients - lots of times :)

 

thanks for the tips!

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...