Encryption with network servers
|
|||
Encryption of data stored on a network file server is possible. However due to its effect on the user base and the variety of host environments the process should be fully understood before deploying to a live server. Using encryption with a server does not provide any audit report of access other than those already provided by the host operating system.
There are two methods of encryption that might provide the required security.
Granular encryptionIt is possible to run ESET Endpoint Encryption (EEE) on the connected client machines and use the software to create encrypted containers to store sensitive data on the server. This method can also be used with non-Windows file servers and Network Attached Storage devices. The container types detailed below would be suitable for this purpose:
It is not possible to use folder encryption over a network, please see this article for more details: I am unable to encrypt a network folder
Full Disk EncryptionIt is important to understand the attack vector being defended against and how Full Disk Encryption functions before considering it as a solution for securing a network server. For ease of maintenance FDE should only be used in a server environment where absolutely necessary. Using Full Disk Encryption will prevent files being accessed or copied from the machine only once it is powered off or restarted. When a system is full disk encrypted, once you have authenticated yourself with your credentials through the EEE bootloader the system will provide files and share data just as it did before encryption. FDE does not provide any further levels of access control than provided by the operating system itself. It does not prevent data being retrieved from the server across the network by an attacker exploiting the operating system itself. If this is the attack vector being defended against then using an encrypted container stored on the server such as a virtual disk and accessed by the clients using EEE at the client end would be a more suitable solution. This has the advantage that only the necessary sensitive data is encrypted. However it should be kept in mind that only the first person to mount a virtual disk from the network gets read/write access, subsequent users will get read only access until the drive has been un-mounted by all users. If Full Disk Encryption is required then the following caveats should be kept in mind when implementing the encryption:
KB430 - Trusted Platform Module (TPM) Support KB439 - Trusted Platform Module (TPM) FAQ And additional feature that could be utilised is 'Maintenance Mode' KB471 - Full Disk Encryption Maintenance Mode Note: there are some remote hardware keyboard devices that should in theory allow login through the bootloader as they load with the BIOS of the machine.
Keywords: nas fileserver domain encrypt server encryption server network | |||
|