Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, February 8, 2018 2:30 AM
Is there anything that Microsoft provides, either out of the box, or as an add-on, that on-prem customers can use to encrypt their data at rest? I'm specifically talking about a file server. Such that when an account tries to access a file, the file has to be decrypted first, and then accessed. I'm not even sure what is meant by Encryption at Rest but management is asking questions.
All replies (4)
Thursday, February 8, 2018 8:27 AM
You can use BitLocker in Windows Server to encrypt data stored on the hard drives. Data at rest is one of the data states and refers to the data stored on a physical media (the other two are data in use and data in transfer)
You can read more about BitLocker here and here
Gleb.
Thursday, February 8, 2018 8:50 AM
Hi jrauman,
May I ask how do you encrypt?
Are you using build-in windows feature Encrypting File System (EFS)?
If so, as Encrypted files are first decrypted before being delivered over the network, and then re-encrypted on the destination server. It uses EFS certificate to authentication.
Here is the details about the work mechanism
https://technet.microsoft.com/en-us/library/2006.05.howitworks.aspx
I haven't find the explanation about encrypt data at rest in the basic build-in feature Encrypting File System. Could you please describe with more details?
If you mean other encrypt method, I'm afraid you may need to contact the related vendor.
Best Regards,
Mary
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, February 9, 2018 9:30 AM | 1 vote
Encrypting data at rest means applying encryption to the whole partition or whole drive as bitlocker would do.
Encrypting data in transit would mean to use for example SMB 3.0 with encryption enforced (by default, it's not enforced). Please note that SMBv3 would require all OS' to be win8/win10/server2012/2016. Win7/server2008 does not speak SMBV3 and thus, cannot encrypt the traffic that way. Those would need to use ipsec.
Friday, February 23, 2018 3:10 PM
I'm also interested in knowing more about this topic.
I've seen many comments elsewhere that EFS is now deprecated by M$, one should not use it.
That about SMB 3.0 is interesting, thank you for pointing that out.
Thank you, Tom