Encrypting the system volumes on a server

by Mitch Tulloch [Published on 18 June 2009 / Last Updated on 2 Feb. 2009]

Why encrypting the system volume on a server is usually not a good idea.

Windows BitLocker Drive Encryption lets you encrypt the entire system volume on a computer. It's great for mobile users who have laptops that can easily get lost or stolen. But is it a good idea to encrypt the system volume on a server? Does this give more security, or does it create headaches?

Consider this: You have a server at a branch office, and the server reboots for some reason (maybe an update was installed, or a power glitch occurred). Generally this is not a problem, and even with BitLocker enabled the system should start normally. But if for some reason BitLocker detected a system condition that might represent a security risk (for example a disk error of some kind) the drive would be locked and you would need someone there at the branch office to supply the BitLocker recovery password to enable the system to boot. Now, you wouldn't want to give that sensitive password to just anyone, and if the branch office is small and there's no full-time admin there, you have a problem. And it gets worse if your server is sitting in a remote datacenter somewhere.

Remember, with increased security usually comes decreased manageability—there's always a tradeoff and you need to consider this before taking actions like this to "secure" your server.

If you have feedback concerning this tip, I'd love to hear from you.

Featured Links