Yes, yes they do. Especially PERC / LSI controllers. I have had success restoring data from drives configured using a PERC / LSI without the controller or all disks from the set—got a good recovery using software utilities on 3 drives of a 5-drive RAID5 that was built with a PERC 5 controller.
Having been down this road, I solved the problem using OPAL drives and a LSI controller that could control the drive encryption. The drives effectively paired with the controller and only unlocked for that hardware, so you would have had to steal the whole server (which was locked into its rack). There are also software utilities that can control OPAL drives from within Windows for non-RAIDed disks. I would say your best bet would be to have the client properly secure their rack in their office (I’m assuming small rack) with security bolts into a proper surface, like floor/wall, then lock the server to the rack and have a proper alarm system with siren and dialer. Your thieves won’t waste time on a server that will take them more than a few seconds to remove if they’re worried about cops showing up. Just make it stronger than the next best target in the office. —Jack— On Jan 17, 2014, at 8:55 AM, Richard Stovall <[email protected]<mailto:[email protected]>> wrote: Don't a lot of hardware RAID controllers actually store a copy of the array configuration on the disks themselves so you can replace a failed controller, read the config from the drives, and have your array up and running again on a new controller? On Fri, Jan 17, 2014 at 8:22 AM, Hank Arnold <[email protected]<mailto:[email protected]>> wrote: As John indicated, if the disks are in a RAID configuration, it will be very difficult to retrieve the data. Regards, Hank Arnold <MVP Logo.png> Twitter: @Hank_PCDoc Facebook: https://www.facebook.com/hank.arnold.96 My Blog: http://it.toolbox.com/blogs/personal-pc-assistant/ ------ Original Message ------ From: "Jimmy Tran" <[email protected]<mailto:[email protected]>> To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Sent: 1/16/2014 1:38:39 PM Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk The disks will be 4 x 300GB 15k SAS drives with a H310 controller. I wonder if there are controllers available with encryption built in… I’ll check with my Dell Rep. The chassis is on those quick install rails and a cabinet on casters :). Very easily stolen. From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of John Cook Sent: Thursday, January 16, 2014 9:55 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk What is the disk configuration on the server? If it’s striped then they’d have a difficult (but not completely impossible) time getting data off multiple stolen drives without the raid configuration or the actual controller. If the chassis is securely bolted to something then it deters opportunistic thieves and if they’re specifically targeting the business it’s far more likely they’ll do it via a web based attack. John W. Cook Network Operations Manager Partnership For Strong Families 5950 NW 1st Place Gainesville, Fl 32607 Office (352) 244-1610<tel:%28352%29%20244-1610> Cell (352) 215-6944<tel:%28352%29%20215-6944> MCSE, MCP+I, MCTS, CompTIA A+, N+, Security+ VSP4, VTSP4 From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 12:35 PM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk It’s a new office build out so cameras are in discussion now. There will be 8 cameras but they are not hidden. With that said, do you have an suggestions on the encryption? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Thursday, January 16, 2014 9:20 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk I agree the physical security concerns definitely would push you in the direction of getting the drives encrypted. And I would also worry about cleaning staff, because they usually have the keys to the offices (thus physical access to perpetrate said scenario). Also is there any hidden camera’s that records the office that is sent to an offsite for review or at least building security? (Another detective control you look into) Z Edward E. Ziots, CISSP, CISA, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> Work:401-255-2497<tel:401-255-2497> This electronic message and any attachments may be privileged and confidential and protected from disclosure. If you are reading this message, but are not the intended recipient, nor an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that you are strictly prohibited from copying, printing, forwarding or otherwise disseminating this communication. If you have received this communication in error, please immediately notify the sender by replying to the message. Then, delete the message from your computer. Thank you. <image001.jpg> From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 11:16 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk This is for an small Optometrist office that will just have a server rack in the back office, no secured datacenter involved. If someone kicks down the door, breaks open the rack enclosure, then break off the security cover server, they can then un-rack or remove the drives. I think the real concern here is theft is actually possible and if it does happen, we need to be certain the data cannot be retrieved. Jimmy From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ziots, Edward Sent: Thursday, January 16, 2014 7:53 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] RE: encrypting Server 2008 R2 virtual disk Here is my question on the encryption part, which HIPAA doesn’t really give a lot of leeway on. 1) If you are in a Virtual environment which you are claiming, then how is someone going to steal the VMDK without having access to the LUN ( San or Local) on the datastore in which it resides? (pretty hard to walk into a datacenter with ESX box, and go steal the disk with the data on it) (Encryption by the specification is “addressable” and the real areas of risk is mobile devices (phones, tablets, Laptops) where the cost and justification of the control is higher. ( This is the risk management port of HIPAA 164.308(a) that a lot of people don’t look into when looking at what needs to be done) I know this isn’t a full answer to your question but wanted to get you context to what is being asked and where the real risk resides. Z From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Jimmy Tran Sent: Thursday, January 16, 2014 9:48 AM To: [email protected]<mailto:[email protected]> Subject: [NTSysADM] encrypting Server 2008 R2 virtual disk I have a client who needs to comply to HIPPA requirements and encrypt their data. The windows server 2008 r2 is a guest on ESXi 5.5. I looked at bit locker and although vmware doesn’t support it, it can still be done. The data is currently planned to reside on the local datastore. Encrypting the entire data store would be ideal but I’m not aware of any tools to do this. Does anyone have any recommendations? Thanks, Jimmy ________________________________ CONFIDENTIALITY STATEMENT: The information transmitted, or contained or attached to or with this Notice is intended only for the person or entity to which it is addressed and may contain Protected Health Information (PHI), confidential and/or privileged material. Any review, transmission, dissemination, or other use of, and taking any action in reliance upon this information by persons or entities other than the intended recipient without the express written consent of the sender are prohibited. This information may be protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other Federal and Florida laws. Improper or unauthorized use or disclosure of this information could result in civil and/or criminal penalties. Consider the environment. Please don't print this e-mail unless you really need to.
