Problem solve Get help with specific problems with your technologies, process and projects.

Is full-disk server encryption software worth the resource overhead?

While encrypting production servers may seem like a good security move, according to Anand Sastry, doing so may not be worth the resources it uses.

Our organization has come up against a couple of problems when encrypting production servers. Using TruCrypt (our...

current favorite) we lose the ability to do remote reboots, absent a DRAC or iLO2, as well as the ability to do any automated, middle-of-the-night reboots for updates, etc. Also, the processing overhead for the constant encrypt-decrypt cycles is taking a toll. Is encrypting these servers worthwhile? If so, what's the best strategy to mitigate these problems?

Full-disk encryption is most useful when there is a threat of loss of data due to the device being mobile. A server is typically designed to run constantly and will not benefit from data encryption when the system is powered down, unless there is a threat from physical theft.

A combination of a good endpoint security product, which brings together antivirus/antispyware, with a host-based intrusion prevention system (IPS), rather than full server encryption software, would go a long way to keeping the server secure. Adding a file integrity monitoring product, like those from Tripwire Inc. or the free OSSEC, would provide real-time alerts on modifications to critical files on the servers as well.

This was last published in August 2011

Dig Deeper on Alternative operating system security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.