locked
Disk / File Encryption for WHS 2011 RRS feed

  • Question

  • Is it possible to encrypt disks with WHS 2011?  I am assuming yes, since it is build on Server 2008 R2, which has bitlocker, but i havent seen any discussion on it for WHS2011 - only for WHSv1 which didnt have any built in encryption? 

    Thanks,

    Steve

    Tuesday, June 21, 2011 4:09 PM

All replies

  • Encryption of disks is unsupported at this time.
    I'm not on the WHS team, I just post a lot. :)
    Tuesday, June 21, 2011 4:14 PM
  • Read this:

    Using Bitlocker with Server Backup

     

     


    Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
    Wednesday, June 22, 2011 6:38 AM
  • On Wed, 22 Jun 2011 06:38:41 +0000, PhilipJH wrote:

    Using Bitlocker with Server Backup <http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx>

    It would be nice if some folks actually checked the documentation prior to
    posting incorrect answers.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    CPU: A juvenile way of telling your dog he missed the paper.

    Wednesday, June 22, 2011 7:37 AM
  • Me or Ken?
    Phil P.S. If you find my comment helpful or if it answers your question, please mark it as such.
    Wednesday, June 22, 2011 8:02 AM
  • On Wed, 22 Jun 2011 08:02:10 +0000, PhilipJH wrote:

    Me or Ken?

    Your answer was correct and backed up by a link to the relevant documentation.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    A bad random number generator:  1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1


    • Edited by Paul Adare Wednesday, June 22, 2011 8:16 AM typo
    Wednesday, June 22, 2011 8:06 AM
  • On Wed, 22 Jun 2011 08:02:10 +0000, PhilipJH wrote:

    Me or Ken?

    Your answer was correct and backed up by a link to the relevant documentation.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    A bad random number generator:  1, 1, 1, 1, 1, 4.33e+67, 1, 1, 1


    I suggest you check with the HSBS team, who will tell you what I told the OP. Using bitlocker, even with documentation on how to do si, is not the same as supporting bitlocker.
    I'm not on the WHS team, I just post a lot. :)
    Wednesday, June 22, 2011 12:53 PM
  • On Wed, 22 Jun 2011 12:53:41 +0000, Ken Warren [MVP] wrote:

    I suggest you check with the HSBS team, who will tell you what I told the OP.

    Then it shouldn't be documented in the online help. Since you seem to be so
    close to the HSBS team why don't you get one of them to post an official
    answer here. If the process is documented in on-line help then the process
    is supported.


    Paul Adare
    MVP - Identity Lifecycle Manager
    http://www.identit.ca
    Hardware:  The parts of a computer system that can be kicked.

    Wednesday, June 22, 2011 2:48 PM
  • When I asked today (I knew someone would push), the person I asked (who should know) said that as far as he knows, the general support statement WRT desktop use stands: only those tasks you can perform through the tools built into Windows Home Server 2011 are supported, which means that technically BitLocker isn't. He also expressed puzzlement when he reviewed the help article. (Could he have been much more noncommittal? :) )

    I can think of several ways this could have come about. The one that seems most likely is that this help content is duplicated from Windows Small Business Server Essentials, where some level of desktop use (by administrators only) is probably expected. Which effectively makes it a sloppy copy/paste job.

    As for a statement from Microsoft: fat chance, as you know perfectly well.


    I'm not on the WHS team, I just post a lot. :)
    Wednesday, June 22, 2011 11:11 PM
  • I tried the http://onlinehelp.microsoft.com/en-us/windowshomeserver2011/hh228214.aspx and got it to work with good results. Some notes:

     

    - The backup following Bitlocker To Go encryption was a full one. So, if starting with a new backup, one may as well start with a bare minimum backup (for format and prepare the backup disk), then Bitlocker it and then modify the backup to backup all the required data (just to save the time of the initial backup - enabling Bitlocker takes the same time no matter how much data is on the HDD, from that I can tell).

     

    - To automatically unlock the drive, one needs to log on as a user at the console after server boot (logging as through RDP unlocked the drive for the logged in user, but not system services - I presume this is tied to the session ID or something similar). To do this, I used "control userpasswords2" to always log the console in as Administrator.

     

    - To secure the server console from physical access, I added a shortcut to the Administrator's start menu startup group that runs "C:\Windows\System32\cmd.exe /C If %SESSIONNAME% == Console "%SystemRoot%\System32\RunDLL32.exe" user32.dll, LockWorkStation". The session name part is required to avoid remote Dashboard instances from disappearing once loaded and then having to launch them again.

     

    - I wanted to add the above command via a scheduled task (to run at logon of Administrator) since this runs sooner after logon. The start menu shortcut leaves the desktop exposed for about 2 second (although not possible to again access since the time period is short and the server busy) whereas the scheduled task doesn't. However, %SESSIONNAME% isn't set for scheduled tasks.

     

    - Setting a screen saver for Administrator is a no go since that makes remote Dashboard instances look really ugly when they get locked too.

     

    - Unless you remove the drive letter after enabling BitLocker, the Dashboard backup history shows the drive letter rather than the label. I remove the drive letter to fix that and the volume still gets unlocked after a reboot and backups work.

     

    - Home Server SMART 2012 has a method of unlocking external drives when used with drive pooling software. Something like that could be created to avoid having to auto-logon.

    Saturday, February 4, 2012 9:37 AM
  • I was also able to encrypt my internally-connected 2 TB backup disks using the Bitlocker on a WHS 2011.

    Though I didn't use the Bitlocker ToGo, but instead the one that WHS 2011 installs as a role. Maybe that is why my experience was quite different from Nigel's.

    First of all I have encrypted both disks by the Bitlocker; the process took about 12 hours on my Microserver N40L. Then I have setup server backup to use those disks (it was not set before) and launched the backup. WHS backup warned that all the data will be deleted from disks, but to my big surprise also the Bitlocker encryption was gone from both disks! :O

    So, Nigel, it was smart of you to start with doing initial backup before encrypting the drive - it is not just to save time!

    In sorrow I was going to repeat 12 hours job of encrypting the disks and I didn't feel like waiting several hours for a full backup to perform first, so I did a minimal selection of one folder from my server and did a manual backup.
    Encrypting the disks now took more than 24 hours! The process of encrypting an empty disk finished noticeably faster, but not anywhere as quick as e.g. TrueCrypt formatting of the same disk, even not using the quick format.

    Perhaps the smartest way would be to “prepare” the disks first by including them into backup set, but not writing any data on them and then bit-locking them empty.

    After manually unlocking the disks, backup now ran as expected and the disks were locked after another restart.

    I was a bit scared to experiment further: say what would happen if WHS tries to run an automated backup but the backup disk is locked? Will it delete the encryption again? Trying to manually access the locked disk gives the “Access denied” message. I hoped this would somehow prevent the server from formatting my disks every time I forgot to unlock and backup schedule time comes…

    It seems that WHS does not try to format the disk it does not have access to, thanks god! But the message “Unknown error during backup” shows that statement brought by Ken is partly true: Bitlocker is not recognized/supported. It just works. Use it at your own risk if you know how… But that works for me, because all my previous tries to encrypt backup disks for WHS 2011 with TrueCrypt failed. WHS does not want to backup to a virtual volume or to any given logical volume on a disk. It wants metal! And it will format whatever is on its
    way to the metal! As we know now, even something made by its fellow Bitlocker. It just likes to leave those 19 MB of unallocated space on my disks I believe
    J

    Now I am up to a new quest: the internally mounted “bit-locked” disks will not auto-unlock unless the Operational System’s disk is also encrypted using Bitlocker. I hope there will not be more surprises, but I’ll do a backup, just in case ;) Does anyone have any experience with encrypting OS and auto-unlocking internal disks? I do not have TPM or a smart card reader.

    Monday, March 12, 2012 6:49 PM
  • Nigel/Badumka

    I've been looking for a solution to encrypt/protect my WHS 2011 data in the event of theft etc.

    It looks like you guys have found a way to get Bitlocker working on WHS 2011, but I was wondering if I will still be able to access my media on the server via my media player (WDTV Live), which I use to play movies, music, video etc?

    Right now my media player accesses my server using the regular password associated with an RDP login. Using Bitlocker would be the same, right?
    How safe is Bitlocker compared to Truecrypt? I know that Truecrypt cannot be used in the way we want with WHS 2011, but wondered how secure my data would be if someone were to take the drives out of my server and start to hack there way into the data, or be able to see files and folders? I want complete data security, I don't even want a thief to be able to see volume folders (such as Finances) that would give them the boost to get more serious around cracking into my data.

    I think I read something about Bitlocker being vulnerable without TPM chipset, which I know my server doesn't have?

    Thanks for any suggestions.


    • Edited by Globespy Thursday, April 26, 2012 10:06 PM
    Thursday, April 26, 2012 10:01 PM