Our organization has come up against a couple of problems when encrypting production servers. Using TruCrypt (our...
current favorite) we lose the ability to do remote reboots, absent a DRAC or iLO2, as well as the ability to do any automated, middle-of-the-night reboots for updates, etc. Also, the processing overhead for the constant encrypt-decrypt cycles is taking a toll. Is encrypting these servers worthwhile? If so, what's the best strategy to mitigate these problems?
Full-disk encryption is most useful when there is a threat of loss of data due to the device being mobile. A server is typically designed to run constantly and will not benefit from data encryption when the system is powered down, unless there is a threat from physical theft.
A combination of a good endpoint security product, which brings together antivirus/antispyware, with a host-based intrusion prevention system (IPS), rather than full server encryption software, would go a long way to keeping the server secure. Adding a file integrity monitoring product, like those from Tripwire Inc. or the free OSSEC, would provide real-time alerts on modifications to critical files on the servers as well.
Dig Deeper on Alternative operating system security
Related Q&A from Anand Sastry
Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to ... Continue Reading
When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response. Continue Reading
IEEE 802.11 has several known vulnerabilities, so what's the best way for enterprises to handle them? Expert Anand Sastry explains. Continue Reading