Encrypting Server Disks – Windows

February 25, 2019
Server Disks , Windows

A common worry when transporting servers between locations is the safety of data. While a lot of this concern is mitigated by using reliable couriers and shipping methods, it is a good practice to encrypt your disks prior to transporting your server.

Another compelling reason you should employ disk encryption is to be compliant with laws such as GDPR (Article 25, Article 42) or when you need to get PCI (Requirement #3), HIPAA (HIPAA Security Rule) certification.

There are a good number of options when it comes to full disk encryption, let’s discuss some that are free and also provide a good level of security.

BitLocker

BitLocker is a full disk encryption feature that encrypts the entire disk volume. Though it was available for regular consumers since Microsoft Vista, it has been included in server editions starting Windows Server 2012 and later. This is an optional feature and has to be installed through the Control Panel.

BitLocker uses AES encryption in CBC (cipher block chaining) or XTS (a modification on XOR-encrypt-XOR) mode.

This software was primarily designed to protect data on devices in the event the device was lost/stolen. BitLocker also has a feature to validate the integrity of the Windows Boot and system files. Hence, in conjunction with a compatible TPM (Trusted Platform Module), it can validate the integrity of the boot and system files before proceeding to decrypt a drive.

Disks need to be formatted with NTFS, before BitLocker can be used (FAT32 is not supported, but then NTFS is the default Windows disk format).

Encryption/Authentication Modes

You can secure the encryption with one the three authentication mechanisms available

  • Transparent: This uses capabilities of TPM 1.2 hardware to automatically log the user into Windows as normal. The key used for encryption is within the TPM chip and will be released to the OS loader code only if the early boot files appear to be unmodified.
  • User Authentication Mode: In this method, the user needs to provide a password or PIN at the time of the boot.
  • USB Key Mode: An USB device must be inserted which contains the startup key which is used to boot the OS. It is important that the BIOS supports reading the USB device before the OS loads.
  • Saved to your Microsoft Account
  • Saved on an USB Flash Drive
  • Save to a file
  • Print the key

Installation

The easiest way to install BitLocker is through the Control Panel. Once in Control Panel, click on “Turn Windows features on or off”. Since this requires elevated privileges, you will be asked to confirm.

Within the “Add Roles and Features Wizard”, select the Features section. Check the “BitLocker Drive Encryption” feature and then select Install.

 

BitLocker will ask to install additional components (if required) and finally require a restart.

Restart the server and run the BitLocker application, you will be shown a list of drives on your system. On the drives that you need to encrypt, click “Turn on BitLocker”. You will be presented with options of how you would like to unlock the drive at startup. Insert a USB Flash Drive or Enter a Password.

 

 

Being a remote machine, you might not be able to use the USB Flash Drive option, choose the latter and setup a password.

There is an option to save a recovery key to regain access to your drive in case you forget your password. The recovery key can be

Choose the option that works best for you, and we will begin the encryption process. For a new server, choose the option “Encrypt used disk space”. For servers already in use, choose “Encrypt entire drive”. The former is faster than the second option.

Follow the wizard and allow BitLocker to complete encryption. Encryption happens in the background. Depending on the options you chose and the size of your disks, this may take time. Once it is complete, the BitLocker status on your drive looks like this.

VeraCrypt

VeraCrypt is a fork of the now discontinued TrueCrypt project. This is an freeware utility which can encrypt single files, encrypt a single partition or the entire storage device (allowing pre-boot authentication). While addressing some of the audit issues found with TrueCrypt it also increases security by increasing the number of iterations used for encryption. This increases the initial system load time, but not really by a significant factor. Once done, application load times are as normal.

Encryption & Decryption are done on the fly, so when copying into an encrypted volume or reading from it, the algorithms work with transient data in memory. However, this does not mean that the system needs a higher RAM capability than usual.

Once installed, the application lets you choose the drive you want to encrypt. To encrypt the entire system partition, choose that option. You do not need to reinstall the OS for this operation.

https://www.veracrypt.fr/en/Beginner's%20Tutorial_Image_002.jpg 

You will need to setup a password which must be entered everytime the OS loads. Pre-boot authentication is handled by the VeraCrypt Boot Loader. When encrypting the system volume, you will also create a VeraCrypt Rescue Disk which allows you to decrypt the system partition (in case of OS failures) or if the VeraCrypt Boot Loader is damaged.

An useful feature is the hidden volume feature. You can create a “Hidden Volume” within an already encrypted partition which lets you store really sensitive information. The presence of the Hidden Volume is not known. When entering the password for the volume, VeraCrypt automatically determines if the regular volume is to be loaded or the Hidden Volume. If you are forced to reveal your password (extortion), you can provide a password that unlocks the regular volume which can contain decoys of sensitive information.

DiskCryptor

This free application allows you to encrypt all drives even the OS partition where Windows is installed. Diskcryptor uses AES, Twofish, Serpent and other combinations of these algorithms to encrypt your storage medium.

This application was originally created as a replacement for commercial solutions such as DriveCrypt Plus Pack and PGP WDE. Since version 0.5, the program uses its own partition format, developed specifically for encrypting partitions on them. This allows for greater stability of the application and eliminates some of the problems associated with filesystems.

DiskCryptor is highly optimized and generates the AES algorithm dynamically based on the size of the key. This results in faster encryption and decryption speeds.

The interface of the application while appearing plain, provides all required capabilities & functions. Upon installation, you can see the list of available drives

 

Main Window

You can encrypt system partitions simply by selecting the disk and Encrypting it. However, utilities outside Windows, such as bootable USB or Windows LiveCDs cannot access your encrypted drive. You will need to decrypt the drive first. DiskCryptor offers an option to create a custom Windows Bootloader which can work on the encrypted volume.

Image result for site:diskcryptor.net screenshots

While you can’t go wrong with BitLocker (my recommendation, especially after I read the article where Microsoft refused to install an intentional backdoor and that it is available by default), all choices in here are well tested in the real world and have good support.

 


Ramesh Vishveshwar
Ramesh Vishveshwar

Ramesh Vishveshwar is a tech blogger who is always on the lookout for the next big thing. Having discovered his infatuation for various flavors of Linux, he spends his time tinkering with VPS nodes installing and trying out new applications. His interest in coding spans across multiple languages from PHP, shell scripting to remote old generation languages such as COBOL.