For my homeserver, I am planning on getting a RAID 5 with four 3TB drives (9 TB usable space).
Now I am wondering whether I should encrypt this RAID. The danger of someone getting physical access to the machine is rather low. Thus, it would be no problem if the decryption key could be easily read out of memory or even from another hard drive on the machine (the OS is stored on an unencrypted SSD).
What I am more concerned about is what happens if a drive fails and I am not able to securely erase it before sending it to the manufacturer / recycling. My idea is, that with an encrypted data storage, I could simply take out one drive without having to worry about exposing any information.
The server should be able to boot up unattended. Therefore, a solution requiring someone to enter the password on each boot is not an option.
There is an option of purchasing a RAID controller which comes with built-in AES encryption. However, it's a bit more expensive.
Are there any free, software-side solutions for Windows Server 2008 R2 for this? I read about BitLocker and TrueCrypt - however, I am not sure if they actually support unattended boot and access to the drive without someone physically entering the password.
What are your ideas on this?
81 Answer
For my homeserver, I am planning on getting a RAID 5 with four 3TB drives (9 TB usable space).
Awesome, but have you looked into other levels of RAID? RAID 5 is only single parity, so if you have a single drive fail and you replace that drive then one of your other drives has a read error when your array is being rebuilt you lose all your data. The chances of that happening are greater than you think. I would personally never go lower than RAID 6 (double parity) which means you would need another hard drive if you want to maintain your 9TB of usable space.
Now I am wondering whether I should encrypt this RAID. The danger of someone getting physical access to the machine is rather low. Thus, it would be no problem if the decryption key could be easily read out of memory or even from another hard drive on the machine (the OS is stored on an unencrypted SSD).
Encryption is never a bad idea and it is not hard to do.
What I am more concerned about is what happens if a drive fails and I am not able to securely erase it before sending it to the manufacturer / recycling. My idea is, that with an encrypted data storage, I could simply take out one drive without having to worry about exposing any information.
If sending it back to manufacturer degauss first, if recycling then I can think of a number of ways to destroy the data.
The server should be able to boot up unattended. Therefore, a solution requiring someone to enter the password on each boot is not an option.
I'm sure there is some way to do it, but why? There's no point in having an encrypted volume if you want it to automatically mount in unencrypted form without having to enter a password.
There is an option of purchasing a RAID controller which comes with built-in AES encryption. However, it's a bit more expensive.
Gotta pay to play. Do your research before you buy. For instance, don't think you are buying a "hardware RAID" controller just because you are buying a piece of "hardware" that allows for "RAID". Unless you are spending over $250 your probably not getting true hardware RAID. One easy way to know you are getting a true hardware RAID controller is to purchase one with a battery back. No fake RAID controller has battery backup.
Are there any free, software-side solutions for Windows Server 2008 R2 for this? I read about BitLocker and TrueCrypt - however, I am not sure if they actually support unattended boot and access to the drive without someone physically entering the password.
BitLocker and TrueCrypt are the free solutions, and we already discussed unattended boot. There is one other free solution that will fix most of your problems if you are willing to ditch Windows Sever. That solution is FreeBSD or one of its off shoots like FreeNAS. It is software RAID (not fake RAID). The benefits are numerous, here are a couple:
- Imagine you buy a good hardware RAID card then 5 years down the road that card dies. Better hope you can get another card that using the same tagging algorithms as your dead card did or else your data is inaccessible. Not a problem with software RAID because the tagging algorithms are built into the software, no special hardware required.
- You can encrypt your data with software RAID for a lot cheaper (free) than the cost of a good hardware RAID card. To be fair though hardware RAID is faster if super write speeds are your objective.
Read up on ZFS then ask yourself if you really want to store data you care about on a lesser file system.
