Jump to content
RESET Forums (homeservershow.com)

BitLocker


Recommended Posts

Drashna Jaelre

I still can't figure out how to encrypt the automated server backups.

 

I am not an IT-guy, I configured the trial server WS2012R2E always following the recommended options. BitLocker is my first attempt at going a little beyond that, and I need a bit more advice, thanks!

 

Oh, yeah. Add a drive letter to the drive. If you don't it doesn't let you encrypt it by default. Once you've added a disk letter, you should have the option to encrypt it.

Or it may be possible to encrypt it without the drive letters, if you use the command line tools (but that's more difficult).

 

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be relatively resistant to attack instead of high speed and sits on a low speed bus to the rest of the system. You need crypto accelerator cards such as the nCipher range or a drive that natively supports encryption.

 

There is one thing to be wary of when using full disk encryption such as Bitlocker and that is when you're pairing it with a SSD with a controller such as the SandForce range that uses compression + deduping to achieve the high throughput. The raw data is quite likely to be easily compressed but once encrypted, the data will appear to be random with no patterns. This will incur a performance penalty when using those types of SSD controllers.

 

If you want Bitlocker on a SSD then make sure to get a SSD that supports the Microsoft eDrive standard. This allows the Bitlocker system to offload the crypto to the drive itself from the CPU. This allows faster performance since it is done in dedicated hardware inside the drive and the drive has much greater control of the flash since it knows what is real data and what is junk that can be trimmed.

AH, okay, thank you for the information.

From what information I could find, well, that was the implication.

But thank you for clarifying!

 

As for the eDrive standard, do you know of a list of compatible drives?

The closest I've found is that the Crucial MX500 series supports it, but that's about it.

Link to post
Share on other sites
  • Replies 44
  • Created
  • Last Reply

Top Posters In This Topic

  • ServerRookie

    14

  • Drashna Jaelre

    11

  • ikon

    7

  • nrf

    5

Top Posters In This Topic

Popular Posts

Bitlocker protects against offline access to data - either by booting to a different device (USB or CD) or by pulling the hard drive and accessing it from another computer.  It does not protect agains

By default, BitLocker does require a TPM, which we discussed earlier; thankfully a simple GPO setting can resolve that. When there is no TPM on the mobo, you must have a USB stick. There's just no way

The TPM module is a cryptoprocessor for dealing with keys and signatures only. It isn't capable of helping with encryption/decryption of actual data on disk or network. The module is designed to be re

GotNoTime

As for the eDrive standard, do you know of a list of compatible drives?

The closest I've found is that the Crucial MX500 series supports it, but that's about it.

I've only personally used it on the Intel S2500 SSDs but Samsung have it in most of their SSDs as well now. IIRC Samsung added it around the time of the 840EVO drives. The actual standard you're looking for is TCG Opal and IEEE 1667. If the drive supports both of them then it counts as being Microsoft eDrive compatible.
Link to post
Share on other sites
ServerRookie

Thanks folks, especially Drashna, I got my trial network encrypted :) 

Wish me luck if I have to recover anything with all that encryption :lol:

----------------------

Someone said he likes to be 90% secure (rather than 30% secure).

Am I really that secure? I'll start a new topic.

Link to post
Share on other sites

Just to be clear, there should be zero % luck when it comes to restores. Now that you have your encryption set up, the first thing you should do is test the restoration process. Do not assume it will work -- make sure it will. I personally like to document the procedure for myself, because it's often very seldom used.

  • Like 1
Link to post
Share on other sites
ServerRookie

Sage advice indeed, and OUCH :(

 

From Launchpad of client device > Dashboard > Devices > Restore files or folders > window opens showing list of available backups and select a particular backup > click 'next' > Error Message window :(

------------------

Restore Files and Folders wizard has stopped working

A problem caused the program to stop working correctly.

Windows will close the program and notify you if a solution is available.

------------------

It is a task that I verified to work before BitLocker.

 

How do I rectify the problem?

Link to post
Share on other sites

I'm really glad you decided to test it out. It's unfortunate you ran into an issue, but better now than later (when you really, really need it ;) ).

 

I'm sorry, I haven't touched BitLocker in years, so I can't offer any advice (in case it wasn't clear, when I said I like to document my restoration process I mean any restore process, whether it uses BitLocker or not.).

Link to post
Share on other sites
ServerRookie

Yes, it was really good advice, I learned something: after making changes, the backup wizard and the restore wizard should always be tested back to back. Moreover, it turns out that server backup is also broken. I summarize the issue in case some BitLocker expert can give me some suggestions.

--------------------------------

BitLocker breaking restore wizard and server backup

 

I am running the free trial of WS2012R2E and encrypted the C: and D: partitions of the server HDD with BitLocker. I can still backup client X running W8.1 Pro with BitLocker and client Y running W7 without BitLocker. However, the 'Restore Files or Folders' wizard no longer works for neither client X nor for client Y. (I verified the restore wizard to work before BitLocker)

 

I can no longer do a server backup (of the server encrypted with BitLocker) to an external USB HDD (which is encrypted with BitLocker To Go)

--------------------------------

I really like to keep BitLocker in the network, help!

Link to post
Share on other sites

Just to clarify, you can't back up the server to the encrypted USB HDD, or you can't do a restore from the external?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...