Server Encryption Products?

[Woodie]

Looking for advice on how to implement encryption/secure document storage on servers.

Requirements:
Need to store/backup documents on a file server or NAS
Some are "personal" documents, not meant to be shared (HomeDir)
Some are "project" documents, meant to be shared with selected other users (Shared)
Prevent Server Operators/Admins from accessing/viewing any of the documents
Encryption/file protection should be as transparent as possible to the users

Assumptions:
Clients are all Windows XP
Users are non-technical, VIPs
<50 users total
Several servers will be involved (less=cheaper=better)
All users/computers are domain members
User already using EFS to protect documents on their laptops
Some users have multiple workstations/laptops

Option #1:
Use Microsoft EFS to protect the data on the servers, share a recovery key amongst all the users, so they can decrypt all the "shared" documents.
But...means we have to purchase multiple Windows Server licenses, rather than leveraging NAS.

Option #2:
PGP Disk or TrueCrypt or something, and store the encrypted volumes on the servers
But...what happens when two users need to work on the same project at the same time?

Other options/suggestions?

 

[stash]

What is the goal with encryption here? Is it to prevent administrators from accessing files stored on servers? You can do multiple user encryption with EFS, but it is on a per-file basis, which sucks if you have a ton of files. This would be better than giving everyone the same key though.

You may be aware of this already but it bears repeating. The solutions you propose are file level encryption solutions only. The data will still be sent in the clear over the wire, unless you have ipsec, ssl or some other way to encrypt over the wire.

The multiple servers and workstations will be a mess unless you have roaming profiles or DIMS. The DIMS client is technically only available for 2003 servers, but there is a client for XP SP2 that should be available soon. If you are not familar with DIMS, it is a way to roam your certificates without using roaming profiles. The cert is stored as an attribute on the user object.

 

[Woodie]

Originally posted by: STaSh
The DIMS client is technically only available for 2003 servers, but there is a client for XP SP2 that should be available soon. If you are not familar with DIMS, it is a way to roam your certificates without using roaming profiles. The cert is stored as an attribute on the user object.

Oooh, now THAT sounds interesting. I'll take a look at that. I was thinking EFS, since we have that, and it works today (in single-user mode). At this point we're aware of the EFS encryption limitation, but it's not perceived as a significant concern/risk at this point.

People (and compliance officers) are more concerned with sensitive data being readily visible by the newest sysadmins, just by poking around.

For the EFS part, I was thinking multiple users, who all happen to have a Recovery Agent cert loaded onto their profiles as well. Set a seperate recovery policy for this server, and let the users share the "special" recovery agent. That way they can decrypt any files on the server that they have access to (seperate shares/ACLs per project). sysadmins would still be able to back up the files, but not view them. At the same time, I can recover encrypted files (with the corporate recov key) for the users if they lose their keys. (and they grant me access)

 

[Markbnj]

Check out Truecrypt (free), or Bestcrypt (commercial). Both packages allow you to create strongly encrypted virtual volumes and mount them as drives. You can either mount one on a server and share it out, or give each user their own.

 

[Woodie]

I took a look at Truecyrpt (and Bestcrypt). How does either of these handle multiple users attempting to update/access files in the same virtual volume?

I'm assuming that it's a one-user at a time solution.
Bestcrypt does have the "Enterprise" version though, which looks interesting, but probably not going to make it.

 

[Markbnj]

Yes, they are both "one user" systems in terms of their being a single password that unlocks the volume at mount time. But once it is mounted of course many users can be updating and reading from it.

Edit: guess you could give each user their own volume.