This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

BitLocker encryption management on Windows Server operating systems

I would like to manage the BitLocker ( not Safeguard ) encryption on my various Windows servers. I am currently doing this successfully with the Windows 10 computers. In Sophos Central\My Products\Encryption I do not see any of the server objects listed so I cannot add them to the  encryption policy that I have added the workstations to. I do not see encryption listed as a policy type that I can create under My Products\Server Protection. If I go to the Summary under the server objects I do not see "Device Encryption" listed as an installed component on the servers either even though it was included in the Endpoint Protection package that I deployed to all servers and workstations. 

Thanks, 



This thread was automatically locked due to age.
Parents
  • Device Encryption is not supported on servers. 

    There are various reasons, but one of the more applicable is that device encryption only protects the data when the machine is off (data at rest) and servers are rarely off and are also harder to steal the physical drives. Combined with the need for high performance, it makes encrypting the data on the drives a poor solution for server protection.

    Now, encrypting the data when it is backed up is an excellent policy but Sophos Device Encryption does not service that use case. 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Reply
  • Device Encryption is not supported on servers. 

    There are various reasons, but one of the more applicable is that device encryption only protects the data when the machine is off (data at rest) and servers are rarely off and are also harder to steal the physical drives. Combined with the need for high performance, it makes encrypting the data on the drives a poor solution for server protection.

    Now, encrypting the data when it is backed up is an excellent policy but Sophos Device Encryption does not service that use case. 

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

Children
  • While what you say is true about only protecting powered off computers, your assumptions about "harder to steel" reveals your ignorance in actual use cases.  On-premise servers can be as small as a mac-mini (and some people even use those) and most small businesses DO NOT have hardened security vaults protected by iris scanners in their mom-and-pop shop.  It is just another computer in the back office.  If Windows supports it (which they do), then your product which supports it on Windows 10 SHOULD be able to manage it in Windows Server. It is the SAME product managed the SAME way.  Deployment might be different, as Windows requires adding it as a feature, but the end result is the same.

    A stolen device is a stolen device, regardless if it is 1 lb or 100 lbs.

  • I understand your point of view, but the SGN product was not built to that use case. It was designed for a large scale managed encryption solution that developed out of the LanCrypt product we used to sell. 

    Originally we provided our own encryption algo and a bootloader that moved the OS into an encrypted sub-set of the target drive. It provided true opaque protection of the drive. It came with a cost, however, and the performance hit combined with the points I outlined above led to there never being a server-target SGN solution.

    For smaller use cases - we have Central Device Encryption which is still focused on an endpoint not a server - you will notice we have no policy option for encryption in Central. 

    However, if there is sufficient market appetite for a server based encryption solution it can be looked at. I suggest you put it in as a feature request.

    RichardP

    Program Manager, Support Readiness | CISSP | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.