Encrypted network share drive

3

In the company where I work, we're currently in the progress of setting up a new HR server. Right now, this server is in a seperate network, physically disconnected from the regular LAN, because this server contains sensitive data (wages, ...), that even those with network admin privileges shouldn't have access to.

So in order to incorporate this server with the rest of the LAN, we need to set up an encrypted disk which only those employed in HR have access to. Seems fairly straightforward at first, I quickly set up an encrypted partition with TrueCrypt, set an iSCSI target to it and tried to initiate that drive on a client machine. That's wehere the problems began.

Unfortunately, it seems TrueCrypt is not able to open multiple sessions to the same drive without problems occurring. I was able to initiate and mount the drive on several clients at once, but when I copied a file to it on one machine, it wouldn't appear on another (not even after dismounting/remounting) which is a big problem, since multiple users should be able to work on the encrypted drive simultaneously.

Is there any comparable software that would do the job as required? If not, do you have any suggestions for a practical workaround?

Axim

Posted 2012-04-24T11:28:02.593

Reputation: 161

Do you have the same problem if you share it as NAS, as described in http://www.truecrypt.org/docs/?s=sharing-over-network ?

– ckhan – 2012-04-24T11:42:06.347

2The issue is the filesystem, not TrueCrypt. You can't share unencrypted drives over a network either. (You can share the files on them, which you can also do with TrueCrypt. But that won't help you.) – David Schwartz – 2012-04-24T11:57:21.740

@ckhan yeah, I read that, and it works as described in there. The problem is, when I mount the drive directly on the server, everyone who has access to the server will also be able to access that drive, which does not meet the requirements. It needs to be configured in such a way that the drive is only decrypted on the individual clients, but not accessible directly from the server without the password. – Axim – 2012-04-24T12:12:38.193

What are the OSes involved? If it was linux, it might be a simple matter of sshfs or some related filetype. – Journeyman Geek – 2012-04-24T12:27:58.803

Server and Clients are Windows based. There might be a possibility to run a Linux VM on the server if that might help, but the clients are going to be Windows no matter what. – Axim – 2012-04-24T12:31:33.037

Answers

1

I think you might consider the combination of BitLocker and EFS. BitLocker will encrypt the entire drive while EFS provides filesystem-level encryption.

jftuga

Posted 2012-04-24T11:28:02.593

Reputation: 2 877

Seems like this might be an acceptable solution. I've read that in domain networs, EFS will automatically set the domain admin as recovery-agent, thereby granting him access, which is undesired, but still seems like the best of all proposed solutions. – Axim – 2012-04-24T13:41:10.213

1

I suppose the question is where do you need this encrypted and what protocols can you use. You'd also want to add what oses are in play here.

You could probably throw together something with EFS (with certs for clients who're allowed to use them) and windows file sharing or 'webfolders' which is their implimentation of webdav - Microsoft has some suggestions here on the specifics

Serverfault has some questions relating to the same topic - AD and IPSEC is suggested here and ipsec, efs and bitlocker are brought up here.

If its linux, consider sshfs,sftp or scp shares. They can be mounted pretty easily and provide end to end encryption.

Journeyman Geek

Posted 2012-04-24T11:28:02.593

Reputation: 119 122

Asked: 2012-04-24T11:28:02.593

Viewed: 6 260 times

Active: 2012-04-24T12:34:53.843