I have a need to implement resting encryption of data within our environment. Basically, we have a Hyper-V virtual server named FILER01 that runs Windows Server 2012 that is has a direct iSCSI connection to a LUN on our DELL MD3200i iSCSI SAN. This virtual server is only configured to act as a file server and it presents a shared folder to a repository of documents that is only accessible by two service accounts (one for our document management application to access and display the files through it’s web interface, similar to SharePoint, and the other for a backup service account that backs up the files). This virtual server is running on a DELL R820 server running Server 2012 and has a TPM module built into the BIOS, though I don’t believe that the TPM functionality can be “passed through” to the virtual server.
Even though our servers are in a hardened and secure data center, to meet HIPAA guidelines (which I feel are outdated), we are required to ensure that the data stored on the SAN is encrypted at rest. I have done a ton of research, but I can’t seem to find out the best option to secure the data. I have looked at EFS, but that was originally developed for Windows 2000 so I don’t know if that makes it robust or outdated. I have looked at BitLocker which was originally developed for the “lost laptop” scenario and only used to secure the OS drive. It wasn’t until Server 2012 that BitLocker is able to support iSCSI on data (non-OS) drives, but I don’t know if it is mature enough to use in this type of enterprise environment. I also know that there are other products out there (e.g. TrueCrypt) that can do encryption, but we need to know that whatever we choose will cause the least amount of processing overhead and be transparent to our applications (preferably without making any changes to the way our application accesses the repository).
I would like some feedback from anyone who has implemented resting encryption of data files on a SAN in a Hyper-V environment. Any input is greatly appreciated!
FYI, even though the MD3200i supports self-encrypting disks, we don’t have them and it would be cost prohibitive (at this point) to replace them.
