Solution
Encrypting data stored on a network file server is possible. However, this will impact the user-base and the variety of host environments, therefore make sure you fully understand the process before deploying to a live server.
Using encryption with a server does not provide any audit report of access other than those already provided by the host operating system.
There are two methods of encryption that might provide the required security:
Granular Encryption
You can run ESET Endpoint Encryption (EEE) on connected client machines and use the software to create encrypted containers to store sensitive data on the server. This method can also be used with non-Windows file servers and Network Attached Storage devices. The container types detailed below can be used for this purpose:
- Encrypted Archives
- Individually Encrypted Files
- Encrypted Virtual Disks
- Text encryption
It is not possible to use folder encryption over a network, please see this article for more details: I am unable to encrypt a network folder
Full Disk Encryption
You must first understand how Full Disk Encryption (FDE) functions and how the attack vector is being defended against before considering it as a solution for securing a network server.
For ease of maintenance, FDE should only be used in a server environment where absolutely necessary. Using FDE will prevent files from being accessed or copied from the machine only once it is powered off or restarted.
Once you have authenticated yourself using your credentials through the EEE bootloader, an FDE system will provide files and share data as it did before encryption.
FDE does not provide any further levels of access control than provided by the operating system itself. It does not prevent data being retrieved from the server across the network by an attacker exploiting the operating system itself.
If the attack vector is being defended against, then using an encrypted container stored on the server, such as a virtual disk that is accessed by clients using EEE, would be a more suitable solution. The advantage of this scenario is that only the necessary and sensitive data is encrypted. However, keep in mind that only the first person to mount a virtual disk from the network gets read/write access, while subsequent users get read-only access until the drive has been unmounted by all users.
If FDE is required, then the following caveats should be kept in mind when implementing the encryption:
- Make sure you fully test the encryption process and backup/disaster recovery procedures on an identical server setup (both hardware and software) before deploying to a live server.
- Verify the solution works correctly with the same disk controllers and drives that are used for storage on a test server. This is especially important if the machine uses RAID storage.
- If the server is under high demand, there will be a performance overhead due to the encryption.
- If admins use the remote desktop connection or similar remote connection software, rebooting the system will require someone physically present at the server machine to log in through the EEE bootloader. By installing DESlock+ v4.8.17 / EEE v5.0 on a workstation with a Trusted Platform Module (TPM) enabled, it is possible to configure the 'No Extra Authentication' mode. This mode does not require authentication at the EEE bootloader, so the user will boot straight to the Windows login. It is important to note that this will shift security to the Windows login. Please see the articles below for more information:
Trusted Platform Module (TPM) Support
Trusted Platform Module (TPM) FAQ
An additional feature that could be utilized is 'Maintenance Mode'
Full Disk Encryption Maintenance Mode
Note: There are some remote hardware keyboard devices that should allow logging in through the bootloader as they load with the BIOS of the machine.
- If the encrypted machine is to be managed by an ESET Endpoint Encryption Server (EEE), it is important the EEE Server is not hosted on the same machine. This is because access will be needed to the EEE Server to recover the FDE logins should they be forgotten. For example, it is like locking the emergency code for a safe inside the safe.
- It is only possible to FDE Windows machines. It is not possible to FDE NAS devices or Linux based servers.
