locked
Is it safe to encrypt a folder on WHS? RRS feed

  • Question

  •   Is it safe to encrypt a folder on WHS?
    Tuesday, October 28, 2008 9:14 PM

All replies

  • Hi,
    why do you repeat the same question again, if you got an answer in the other thread already?
    So again the short version for you:
    Encryption will not work properly on folders, which are part of the storage pool, while it will work on folders, you create and share manually on disks, which are not in the storage pool (although this is unsupported).
    Best greetings from Germany
    Olaf

    Tuesday, October 28, 2008 11:14 PM
    Moderator
  • Thanks. What I should have asked is what happens if I do it? That would be a different question. What happens  if I encrypt a file on WHS?

    Tuesday, October 28, 2008 11:21 PM
  • Ok, from my experimenatal settings of permissions to deny my children the access to a subfolder in the videos folder the result was, that it may or may not be denied, dependent from where I tried to set the NTFS permissions.
    If you set the permissions, this may result in the local folder with the tombstones on D: being affected, but not the local folder with the real data on disk 2 or the local folder with the duplicated data on disk 3.
    Since Drive Extender takes care of the files in a unique way without caring about other attributes besides the share permissions, the outcome is very open, even if you would manually try to encrypt the folders on each of the disks. As soon as Drive Extender decides to shift your duplicates to disk 4 now, they are unencrypted again. If you go to each of the wanted encrypted folders in DE\shares on each disk directly, it might work.
    But since it is a real unsupported scenario, I do not have a clue, if Drive Extender would hit a wall with encrypted  data during a duplication/balancing process and even trash your data after it was working some time optical well. And I could imagine, that two identical files in encrypted folders (one the original, one the duplicate) are not identical from the point of view of Drive Extender, so that using duplication on these folders would add another level of risk. And if the files are so important, that you wish to encrypt them, you do definitively not set them on the risk of going lost.

    Best greetings from Germany
    Olaf
    Tuesday, October 28, 2008 11:40 PM
    Moderator
  • They are important I have two HD's. I'm a Windows Server 2003 Admin. I don't get why it would get lost??
    Tuesday, October 28, 2008 11:45 PM
  •  
    jshoemaker21 said:

    I don't get why it would get lost??

    Did you ever try, what happens, if your Operating system got lost and you had to access a folder with encrypted files on that machine?
    This is a great scenario to loose access to those encrypted files, since the user account does not longer exist and the EFS certificate is too often not saved before.
    Drive Extender also acts with a different account, so the possibility is there, that, if it simply copies an encrypted file for duplication, the target file will not be readable (just as if an unauthorized person is copying an encrypted file to an USB drive and tries to access that later).
    I don't think, that Drive Extender uses the Backup API to deal with encrypted files.
    For some details see also here:
    http://msdn.microsoft.com/en-us/library/ms995356.aspx
    Best greetings from Germany
    Olaf
    Wednesday, October 29, 2008 12:00 AM
    Moderator
  • I did'nt know that DE uses a different account...... I'm familiar with 2003. I can understand a backup of the encrypted file not being available or getting lost if the disk or OS goes down. But I would backup the encrypted file to a removable disk for a backup. Whats wrong with that?
    Wednesday, October 29, 2008 12:04 AM
  • Why wouldn't it be available if the system were funtioining?
    Wednesday, October 29, 2008 12:05 AM
  • If I were to do it. I'd have a CD backup of the encrypted files in case of emergency.
    Wednesday, October 29, 2008 12:06 AM
  • jshoemaker21 said:

    I did'nt know that DE uses a different account...... I'm familiar with 2003. I can understand a backup of the encrypted file not being available or getting lost if the disk or OS goes down. But I would backup the encrypted file to a removable disk for a backup. Whats wrong with that?


    The definitive answer is:  it's unsupported.  Olaf made very good points all around as to what might happen if you do it.

    The bottom line is if you really want to know what would happen, you should try it for yourself (and accept the consequences of doing it, knowing that it is unsupported).
    Wednesday, October 29, 2008 3:08 AM
    Moderator
  • As a Microsoft Partner, I always appreciate the rudeness. With that aside, I know server 2003 not WHS. Where is the documentation that says this is unsupported??? I was looking for a forum with friendly people that help with WHS at all stages. Thank you.
    Wednesday, October 29, 2008 6:05 PM
  • jshoemaker21, you've had all the answers there are to your question. I don't see any rudeness anywhere, just frustration. (And I'll note that English is not Olaf's native language.) I also don't see any likelihood that Microsoft will enhance Drive Extender to support NTFS/EFS encryption. If they do, I don't see it happening soon.

    So: 

    You can try placing NTFS/EFS-encrypted files/folders in your server shares. I don't think you'll be happy with the results, which are likely to be file conflicts, network health warnings, etc. If you feel you must have your encrypted data on your server, "try it and see" is a reasonable approach, since you can make backups of files and folders (even all your shares, just in case). Olaf has also provided you a link to a Microsoft knowledgebase article that describes some of the possible pitfalls with EFS encryption; I really very strongly recommend you read it and do some research, because he is absolutely correct when he says that there is a significant risk of losing those files if something happens to the host operating system.

    As an alternative, you can add a drive to your server, but keep it out of the storage pool. You can create a share and put encrypted files/folders in that share. But it won't participate in any way in Windows Home Server. You will have to manage it yourself. That's also a very viable approach.

    Either way, what you want to do is "unsupported". That doesn't mean it doesn't work, and it doesn't even mean that Microsoft doesn't care if it works or not. What it does mean is that there's nothing in the product that will make it work, and Microsoft doesn't test to see if it works. You try it, and you become an explorer.

    I'm not on the WHS team, I just post a lot. :)
    • Marked as answer by jshoemaker21 Wednesday, October 29, 2008 7:13 PM
    • Unmarked as answer by jshoemaker21 Wednesday, October 29, 2008 7:13 PM
    • Marked as answer by jshoemaker21 Wednesday, October 29, 2008 7:13 PM
    • Unmarked as answer by jshoemaker21 Wednesday, October 29, 2008 7:13 PM
    Wednesday, October 29, 2008 6:52 PM
    Moderator
  • Ken,

    I appreciate the response. I just figured somene out there has done it before. When I test it I will post the outcome. (Also I undertand efs greatly and the effects of not having keys backed up.)
    • Edited by jshoemaker21 Wednesday, October 29, 2008 7:17 PM
    Wednesday, October 29, 2008 7:14 PM