Data encryption for servers

[link470]

Alright, so I'm running the network for a school [duh, it's why we're here ] but I'm wondering about encryption. I'm only 20, and back when I was in high school before University, our board office got broken into and they went for the IT department and took a ton of hard drives and backup tapes. All of which were encrypted. As Network Administrator in the school district now, I want to make sure the same thing doesn't happen here at this high school.

 

I love TrueCrypt, everything I've ever heard about that program completely owns. However I'm curious as to how it does with encrypting a full hard drive, and what would prevent an attacker from just booting that hard drive up. Does TrueCrypt load before the OS loads? How does that work in your experience?

 

Basically I just want to have all our servers encrypted, so in the event of someone getting a hold of them, they wouldn't be able to login of course from a secure windows password, but what would prevent them from stealing the drive and reading it at home? If there's an encryption method that you guys use for encrypting the entire server, please do share!

 

Also any client encryption would be great, but not as needed since all files are saved to the server and not locally.

 

I found PGP online, they look like an excellent company. But we're running out of money here in the IT budget for this year since a lot of things needed to be changed. Truecrypt attracts me because it's open source, but PGP attracts me because of how easy and managable it looks. However at a little over 100 bucks per machine [it looks like, unless I'm reading wrong] it could get very pricey.

 

Thanks for any advice!

Edited January 23, 2008 by link470

[nicholab]

May be on backups but your server room should have addition physical security.

[plexer]

Ok so they wouldn't be able to boot your server if they stole a whole machine.

 

But if they just take the backup tapes these are copies of the live system data which isn't encrypted, unless you encrypt before or as you backup?

 

Ben

[techyphil]

This is a concern of mine also. Since the loss of sensitive data in the government im always wondering what measures we have in place.

 

We have CCTV, locked doors, safe, seperate alarm system etc but should a tape get stolen then how would we ensure it cannot be opened.

 

I thought that if a user encyripted a file then that file would never be accessable again if the user account was removed. Which happens.

 

Also with TrueCyrpt, encyrpting an entire HDD would have performance issues and issues about recovery. Seems very long winded and difficult to implement whilst on a live system.

 

Fortunatily the really sensitive data is on sims and only read remotely, nothing is stored on users laptops.

 

Would you all agree that as long as the physical security is in place and that folder permissions are maintained and tight then extreme attempts to get this data are required. e.g someone breaking into the office and ripping the safe from the wall?

 

How far do we go?

[bizzel]

You need to consider the performance hit that live encryption will take. Also, will it mess with your antivirus? I know some encrypted files can't be scanned.

[pete]

I thought that if a user encyripted a file then that file would never be accessable again if the user account was removed. Which happens.

 

I would hope that the encryption solution chosen would work in a similar way to (properly set up) Windows encryption - domain admins would have the ability to unencrypt any file, either through a recovery certificate or assigned rights.

[CyberNerd]

word on slashdot is that truecrypt5 now does full disk encryption

http://it.slashdot.org/it/08/02/06/1333216.shtml

[FN-GM]

This has crossed my mind before to. Although there is physical security its not impossible to get through. Plus it only takes one person to leave the door unlocked (Site manager, Techies & a few others have access to the room).

 

You need to consider the performance hit that live encryption will take. Also, will it mess with your antivirus? I know some encrypted files can't be scanned.

 

I don’t normally but AV on a server

 

Z