locked
File Encryption RRS feed

  • Question

  •   I need to encrypt a folder with sensitive information on my server. How do I do this? Is it safe to do? Also, how would I go about restoring it in a filure? Thanks
    Tuesday, October 7, 2008 4:23 PM

Answers

  • Hi,
    sure you can use it, but not together with folders managed by Drive Extender. The WHS components are not programmed in a way, that they take care about encryption.

    An external drive (especially USB) can have difficulties with sharing, since it is often not ready, if the sharing process already runs.

    Best greetings from Germany
    Olaf
    Wednesday, October 8, 2008 2:51 PM
    Moderator

All replies

  • I need to encrypt a folder with sensitive information on my server. How do I do this? Is it safe to do? Also, how would I go about restoring it in a filure? Thanks
    Tuesday, October 7, 2008 4:20 PM
  • AFAIK, Drive Extender doesn't support NTFS encryption/compression. If you encrypt a folder using NTFS, you'll likely be getting network health warnings, because DE won't be able to manipulate the files.
    I'm not on the WHS team, I just post a lot. :)
    Tuesday, October 7, 2008 4:38 PM
    Moderator
  • Is there anything I can do to encrypt files?
    Tuesday, October 7, 2008 4:53 PM
  • I use TrueCrypt (http://www.truecrypt.org/) for this.  Create the TrueCrypt file on the WHS share and then mount it whenever you need to access the "sensitive" files it contains.  Unmounted, the volume looks just like any other file.
    Tuesday, October 7, 2008 5:11 PM
  • Thank you very much. Any other options?
    Tuesday, October 7, 2008 7:15 PM
  • If you use a drive not in the storage pool, you could share a folder on it separately and use NTFS encryption on this folder.
    But be aware, that you may loose all access to these files if you need to reinstall WHS.

    Read the following document carefully to understand, how EFS works and what you should do to recover the files in case of an OS disaster:
    http://technet.microsoft.com/en-us/magazine/cc160993.aspx
    Best greetings from Germany
    Olaf
    Tuesday, October 7, 2008 7:21 PM
    Moderator
  • I understand EFS. But is it any different with WHS?
    Tuesday, October 7, 2008 7:27 PM
  • As I said, Windows Home Server doesn't support the storage of EFS-encrypted files in the WHS shares. You can use a tool like TrueCrypt to store what's effectively an encrypted virtual drive, you can use some other tool to encrypt the files, or you can store them on a drive that's not in the storage pool (and so not subject to DE).
    I'm not on the WHS team, I just post a lot. :)
    Tuesday, October 7, 2008 8:03 PM
    Moderator
  • I went on and saw the option is available to encrypt a file or folder. Why cant't I just use this? Also, if I hook up an external drive can't I keep that out of the pool and use that?

    Wednesday, October 8, 2008 12:07 PM
  • Hi,
    sure you can use it, but not together with folders managed by Drive Extender. The WHS components are not programmed in a way, that they take care about encryption.

    An external drive (especially USB) can have difficulties with sharing, since it is often not ready, if the sharing process already runs.

    Best greetings from Germany
    Olaf
    Wednesday, October 8, 2008 2:51 PM
    Moderator
  • Thanks Olaf... Hvae you done this before? How do you turn off drive extender? What happens if I leave i on?
    Wednesday, October 8, 2008 10:59 PM
  • You should not turn off drive extender - it is a core component of WHS and needed for functional backup and folder duplication.
    As mentioned, on a separate disk, which is not part of the storage pool, there should be no problem to use NTFS encryption, since these drives are not under care of the WHS components.

    I have not done this before, because I have no data at my home, which is important enough to be encrypted and the risk, to loose total access to encrypted data, is larger than 0 (especially if you use the system also for a lot of testing, which ends more or less often in a server reinstall or clean install).

    Best greetings from Germany
    Olaf
    Thursday, October 9, 2008 7:32 AM
    Moderator
  • I understand this... But that is crazy. I'm supposed to go out and by Windows Server 2003 Standard so I can encrypt files and not have my hard drives in a pool??? I don't want them in a pool I want to manually backup or use a backup program... I also want the drives seperate..... I saw the encryption option is available.... What happens if DE is turned off and you use encryption? I mean people at home do have financial information they'd like to protect for example. So WHS doesn't protect those "private" files for people. I don't understand why they would try to sell it as a solution for home even though it is easy to use. People don't understand privacy and not having encryption undermines them.
    Thursday, October 9, 2008 2:16 PM
  • You are not enforced to have all (later, after installation) attached harddrives in the pool. So you can use this feature with some (unsupported but functioning) manual interaction on the server.

    About your privacy arguments:
    People have also usually no encryption on their home PCs.
    They also would not understand, how to backup EFS keys for being able to recover encrypted files in case of a crash or a reset password.
    (This part is often not even completely understood by IT Pros to be honest.)
    So why should WHS support a feature, which the most people would not use or would offer a good chance to loose access to own data?
    Best greetings from Germany
    Olaf
    Thursday, October 9, 2008 3:52 PM
    Moderator
  • jshoemaker21 said:

    I understand this... But that is crazy. I'm supposed to go out and by Windows Server 2003 Standard so I can encrypt files and not have my hard drives in a pool??? I don't want them in a pool I want to manually backup or use a backup program... I also want the drives seperate..... I saw the encryption option is available.... What happens if DE is turned off and you use encryption? I mean people at home do have financial information they'd like to protect for example. So WHS doesn't protect those "private" files for people. I don't understand why they would try to sell it as a solution for home even though it is easy to use. People don't understand privacy and not having encryption undermines them.

    Much of what Olaf says is true. Particularly about encryption--and high security in general--creating more problems for lots of home users than it solves. But Vista (Ultimate, anyway--not sure where EFS starts) offers better than this. If protecting your data from other members of the household is an issue, a portable hard drive locked away might be a better solution. Of course, only so many pictures and videos will fit on one. But some of these storage devices now reach up to TB and beyond capacities. Run on a Vista Ultimate platform, you could also encrypt the entire thing.

    Understand also that both Microsoft and the OEMs are PETRIFIED of enabling so many features in this cheap product running on cheap hardware that people will use it in place of (vastly more profitable) "server" hardware and "server" O/Ses. You can already see signs of channel seepage into small businesses here in the forum. This has to drive Microsoft and their OEMs NUTS. If you look at the price of Windows Server 2003 Standard, you'll understand why the answer to you question "[am I supposed to] go out and buy Windows Server 2003 Standard so I can encrypt files" is not as obvious to Microsoft as it is to you.

    Understand also that WHS is a v1 product and DEM is pretty complex stuff that is still in its infancy. Note the whole "data corruption" PP1 fiasco.

    Oh, and there are other things besides EFS that is JUST SEEMS OBVIOUS that DEM should deal with that it doesn't. Chief on my list is shadow copies of files.

    Maybe in the future more of the file system value adds will work with DEM. OTOH, maybe they'll try to further lock the power of the underlying OS behind the "it's just obvious that home users don't need this stuff" curtain. I'm sure it's a struggle between WHS developers and product managers every day.
    Thursday, October 9, 2008 7:36 PM
  • Well more people than you think are tech savvy. I am an IT pro. I manage 4 networks... I just want to know if it is posiible to safely keep a drive out of the pool and manually perform backups to that drive and also enrypt a few files on the drive that is not in the pool??? Also... what happens with tombstones if there is only one HD in the pool??? Thanks

    Thursday, October 9, 2008 9:06 PM
  • jshoemaker21 said:

    more people than you think are tech savvy



    The problem is that those of us who are tech savy tend to hang out in places like this and forget that we've self-selected to hang out with other who are tech savvy. From that we occasionally make mistaken inferences about the level of tech savvy in the population at large. Microsoft, OTOH, sees the average level of tech savvy at their tech support lines 24x7.

    The answer re. encryption in DEM has already been posted. As to the other questions, I'll let others more qualified take a swing at them. I suspect the answers are:

    1) Yes under the right conditions. I have an external drive that is not in the pool and is used more or less that way--though I've never attempted to mess with EFS on it.

    2) Tombstones probably get migrated to the first drive if they are maintained at all. I'd read the DEM backgrounder to see if it has a definitive answer.
    Thursday, October 9, 2008 10:44 PM
  • Is there anyone who can give me some definative answers, such as someone on the WHS team??? Thanks

    I appreciate everyones input.
    Friday, October 10, 2008 5:17 PM
  • Hi,
    Any drive which isn't part of the storage pool can be used for encrypted files - or anything else you want. However, you won't be able to use WHS to perform backups either to or from that drive as non of the WHS programs etc will even know it's there. That shouldn't be too much of a problem though, as you could map this drive and use the Vista backup facility on a Client to Backup to that drive.
    Personally though, for sensative data on one particular machine, I just use a couple of small USB external drives with True Crypt installed, and rotate them off-site as needed.
     
    Colin





    If anyone answers your query successfully, please mark it as 'Helpful', to guide other users.
    Friday, October 10, 2008 5:35 PM
    Moderator
  • Colin.... I appreciate it. Can I use Windows Backup to backup to the other drive? Also, what happens with those tombstones if only one drive is in the pool?
    Friday, October 10, 2008 7:09 PM
  • Does anyone know how?
    Monday, October 13, 2008 6:30 PM
  • Hi,
    For my purposes, I use SecondCopy to transfer the files from the Client to the external drives, but there is no reason why you shouldn't be able to use whatever you like, I would think.

    Regarding Tombstones, these only exist if there is more than one drive in the storage pool. The explanation from the documentation puts it well "The primary data partition is used to store a unique entry for each file. If a home server has more than one hard drive, these files become “tombstones.” Tombstones are NTFS file system reparse points that Windows Home Server Drive Extender understands. They are tiny files that redirect to one or two “shadow” files on the hard drives that make up the secondary data partition. The shadow files are where your data is really stored. If folder duplication is enabled for a Shared Folder, there will be two shadow files. If duplication is Off, there will be one shadow file."
     
    Colin





    If anyone answers your query successfully, please mark it as 'Helpful', to guide other users.
    Monday, October 13, 2008 6:44 PM
    Moderator
  • So Colin is this how you use ypur WHS?

    Monday, October 13, 2008 6:51 PM
  • No, all my servers have multiple drives and my test server also has the Backup duplication hack enabled, so it has duplicated Shared Folders, plus Duplicated Backups. This has been running like this for a couple of months now with absolutely no problems, so I'm considering doing the same on my production server.
    It's just that one of the Clients on my production server has a couple of folders which are excluded from the WHS backup process and are instead copied off to external encrypted USB drives which are rotated off-site.
    ( I also have all my Shared Folders copied off to a NAS device using SecondCopy, and use the manual method of copying off my Backup database to another set of external drives which are rotated off-site as well.

    Colin






    If anyone answers your query successfully, please mark it as 'Helpful', to guide other users.
    Monday, October 13, 2008 7:01 PM
    Moderator
  • The only reason I don't want to use drive duplication or Shadow Copy is the face that I have things to encrypt. It's just one small folder. I have 2 SATA HD's in my Dell Server. What do you think is the best solution is to accomplish my goal? Thanks
    Monday, October 13, 2008 7:50 PM
  • Personally, I wouldn't have it on the server at all but on a Client. This folder can then be excluded from the Client's backup regime.  From there, a small cheap USB drive could be used as either permanent or backup storage with whatever encryption you like being used.

    Colin
    If anyone answers your query successfully, please mark it as 'Helpful', to guide other users.
    Monday, October 13, 2008 8:18 PM
    Moderator
  • If you need to encrypt files, you will have to store them somewhere outside of the Windows Home Server shares. You can either store them locally on one of your client PCs (they'll be backed up normally by WHS) or you can add a drive to the server, but not to the storage pool, and create a share on that drive which you'll manage (including backups) yourself. Drive Extender just doesn't support encrypted (or compressed, since NTFS encryption and compression use the same basic algorithms) files.
    I'm not on the WHS team, I just post a lot. :)
    Monday, October 13, 2008 9:01 PM
    Moderator
  • I want it on the server. Even if it is not in share. A file server stores files in central location. I want my files in a central location I do not want it on the client. If a need a file and it's on the server i can just RDP in.


     I can take the 2nd hard drive out of the pool and manually backup everything to that or should I just keep both drives in a pool and see what happens when I encrypt a file??? I did create a folder with all drives in a pool on a friends WHS, it seemed to work fine. Out of three admin accounts he has, mine was the only one able to access the the encrypted file. With that said does anyone have any input. ( I forget to mention this earlier. ) Thanks
    Monday, October 13, 2008 10:19 PM
  • Any one else have options?
    Tuesday, October 28, 2008 9:10 PM
  • As I said previously, if you want it on the server, your only option is to connect a drive that you don't add to the storage pool and manage shares and permissions yourself.
    I'm not on the WHS team, I just post a lot. :)
    Wednesday, October 29, 2008 3:16 PM
    Moderator
  • Ken, I appreciate the feedback. Where is the Technical Documentation on this subject? Or even a white paper? I tried it. It works fine.
    Wednesday, October 29, 2008 6:08 PM
  • Hi Ken. I was wondering if I understood this post correctly. My question is, if I have a clients computer that has a truecrypt volume on it, and I backup the clients computer with WHS, the encrypted files will be backed up as well? Thanks,

    Chris

    Wednesday, April 13, 2011 11:28 PM