locked
How secure is data on WHS? RRS feed

  • Question

  • I have client data on my laptop that I protect with PGP Whole Disk Encryption. I use Acronis software to make image backups every month or so to an eSata drive. I'm fairly confident about the security of this client data should the laptop or eSata drive be stolen.

    I also use Scheduled Tasks and Windows Backup to make daily, weekly and monthly backups of the laptop on a 3 month rolling cycle to an HP WHS. The .bak files are stored in my personal folder. How secure is the data in this folder? For example, if the box were stolen how easily could someone get at the data on the drives?

    How can I make the data more secure? Is is possible, for example, to encrypt the drives?

    Thanks.

    Patrick.
    Tuesday, January 19, 2010 6:15 AM

Answers

  • There are no encryption utilities that I know of for Windows Home Server; since it's a "Home Server" OS it's probably not seen as needed by security vendors (who concentrate on business use, for the most part).

    As for ".bak files", that's nothing to do with Windows Home Server. If you use a third party tool (even NTBackup) to back up the decrypted contents of a WDE disk, you're circumventing the WDE protection before it ever gets to your server (not that it matters much since your server isn't going to be encrypting anything it backs up either). And if the data is on Windows Home Server and it's not encrypted, it's vulnerable if the disks are stolen from the server. Files in the shares are just files in an NTFS file system (so your .bak files are only as secure as you make them with passwords, encrypted compression, etc. before they get to your server) and as I said, the backup database can certainly be reverse engineered without a huge amount of effort.

    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by P Jackman Tuesday, January 19, 2010 9:49 PM
    Tuesday, January 19, 2010 9:29 PM
    Moderator

All replies

  • If you're backing up the contents of the disk encrypted with whole disk encryption (i.e. you're backing up the files you see when you're logged in), then it's not encrypted on your server, and any user with the console password has access to the data. Also, reconstructing the contents of a backup is certainly possible if you have the files that comprise the backup database. The format isn't documented, but can be reverse engineered with a little work. If you're backing up the container file (which I would not recommend, really, because it will probably balloon your backup database pretty quickly) then it's encrypted on your server.
    I'm not on the WHS team, I just post a lot. :)
    Tuesday, January 19, 2010 4:37 PM
    Moderator
  • Hi Ken,

    Yes, the problem is the files are being "exported" from the PGP WDE environment into .bak files and are therefore not encrypted. My only concern is the security of those files if the WHS hardware is stolen. A thief would not have the console password, just the disks. How secure is data on the disks in this situation?

    Do you know of any encryption utilities for WHS?

    Patrick.
    Tuesday, January 19, 2010 6:01 PM
  • There are no encryption utilities that I know of for Windows Home Server; since it's a "Home Server" OS it's probably not seen as needed by security vendors (who concentrate on business use, for the most part).

    As for ".bak files", that's nothing to do with Windows Home Server. If you use a third party tool (even NTBackup) to back up the decrypted contents of a WDE disk, you're circumventing the WDE protection before it ever gets to your server (not that it matters much since your server isn't going to be encrypting anything it backs up either). And if the data is on Windows Home Server and it's not encrypted, it's vulnerable if the disks are stolen from the server. Files in the shares are just files in an NTFS file system (so your .bak files are only as secure as you make them with passwords, encrypted compression, etc. before they get to your server) and as I said, the backup database can certainly be reverse engineered without a huge amount of effort.

    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by P Jackman Tuesday, January 19, 2010 9:49 PM
    Tuesday, January 19, 2010 9:29 PM
    Moderator