I think you need to define what you are trying to protect against. Bitlocker will protect disks at rest - it's whole disk encryption. It doesn't encrypt individual files.
EFS is per file encryption - but it's also an attribute of the NTFS file system. EFS is thus not portable across any medium which doesn't support that NTFS file attribute (e.g. FAT file system, SMB network). Additionally, EFS works by using a certificate in the user's profile - so if you want to use per-user EFS encryption on a file server, you need to have (a) roaming profiles that store the EFS certs and (b) Kerberos delegation from the file server to the server hosting the roaming profiles, so that the server can authN as the user and load their profile and cert. As the cert is stored in the user's profile, it can be used offline. Giving multiple people access to a file is a bit of a pain - individual decryption keys need to be inserted into each file. Hence you pretty much need a PKI for anything larger than the most trivial of environments AD-RMS is based on license keys issued by an RMS server. So issuance is centrally controlled - no need to store things in user profiles per se. However you need to be able to contact the RMS server to obtain a license key (decrypt) or encrypt a document. So, it doesn't really work offline. Additionally, it's reliant on the application to implement the functionality to control access. So, no ability to RMS encrypt a Access file, Visio file, Photoshop file etc. Excel, Word, Powerpoint and Outlook are the only supported Office applications. There are plenty of third party products as well. Most work on the same principles of either EFS or AD-RMS: either a central license store, or a distributed key store. Cheers Ken From: Cameron Cooper [mailto:[email protected]] Sent: Wednesday, 11 January 2012 5:30 AM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server Michael, Thanks for the warning on not using it. With my first research we couldn't use BitLocker on the cluster servers since they don't have TPM chips installed. Found the following article to use BitLocker without TPM<http://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/>. Regards, Cameron _____________________________________________ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 [email protected]<mailto:[email protected]> | www.aurico.com<http://www.aurico.com> From: Michael B. Smith [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, January 10, 2012 2:10 PM To: NT System Admin Issues Subject: RE: Encrypting a 2008 R2 Clustered File Server NO! Don't use EFS! Use BitLocker. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Cameron Cooper [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Tuesday, January 10, 2012 1:49 PM To: NT System Admin Issues Subject: Encrypting a 2008 R2 Clustered File Server All, We're in the process of migrating all of our company servers from server 2003 to server 2008 R2. We've installed and configured two Server 2008 R2 Enterprise cluster servers with a failover cluster role and are connected to a MD3000 storage. Here's what we're looking to do... we're going to create network shares that are dependent on dept. and user access (ie.... Someone from our researching dept. doesn't need to see/have access to accounting dept. share) and encrypt the entire file server. We also want the encrypt/decrypt to be transparent to the end user. First question: Has anyone used EFS with AD RMS with network shares? Has this worked and how easy was it to setup? Second question: Is there a recommended encryption solution that someone has implemented? Regards, Cameron _____________________________________________ Cameron Cooper | IT Manager | Aurico Direct: 847.890.4021 | Cell: 224.688.2854 | Fax: 847.255.1896 [email protected]<mailto:[email protected]> | www.aurico.com<http://www.aurico.com> ________________________________ CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ________________________________ CONFIDENTIALITY NOTICE: This email message is intended only for the person or entity to which it is addressed and may contain confidential material. Any unauthorized review, use, disclosure, downloading, copying or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and permanently delete all copies of the original message. If you are the intended recipient but do not wish to receive communications through this medium, please advise the sender immediately. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
