Update May 28, 2014

The Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more clarity on the Truecrypt situation.

Original Post

The last month or so I’ve been helping a local small business solve some IT issues. They are a Windows only shop and needed to move to a client server setup to support a particular business application to improve their work flow.

Microsoft’s Small Business Server 2011 Essentials (SBS2011E) was the most cost effective platform that met the requirements of their niche’ business application. I installed a trial version on a server that I put together using some spare parts that I had leftover from my work experimenting with a GPU workstation build last fall. The base computer used an Asus motherboard, an AMD Phenom II X6 6-core CPU, 16 GB ECC RAM, an nVidia NVS300 graphics card, and an nVidia Edition Cooler Master case. The vendor of the business app recommended using a RAID server so I added a 3Ware 9650SE 8-port hardware RAID card. I configured it to use RAID 10 with four Western Digital enterprise grade 7200 RPM 1 Terabyte drives. Overall, a nice looking and very capable system that didn’t break the bank.

Installation of SBS2011E was very straightforward, but be aware that it insists on taking the primary hard drive all to itself and it will format the entire drive for it’s own use. Not what I’d call user friendly, but the assumption is that you’re only using SBS2011E on the machine so it seems a reasonable choice. Also, be sure to set a computer name and domain name that you like since you can’t change it later. Lastly, note that you can only use a Domain with SBS2011E. You’ll need to look elsewhere if you need a Workgroup type solution.

If you look at the product matrix of the SBS 2011 family you will notice that SBS2011E includes a nice backup option that isn’t present in SBS 2011 Standard even though the latter is more expensive. SBS2011E doesn’t include Bit Locker disk encryption like the more expensive server options, but we had already already standardized on TrueCrypt for workstations and notebook computers. We figured that TrueCrypt would be a good option for the server too. Indeed, I’m pleased to report that TrueCrypt works nicely with SBS2011E and encrypting the system drive on the fly after installation was as fast and easy. If you’re a Windows user and need encryption it’s hard to beat TrueCrypt.

After the system disk was encrypted I proceeded to create an encrypted volume on a 2 TB hard drive connected via an e-Sata dock. I intended to use this drive as removable backup storage. Once the encryption completed I mounted the drive and then attempted to configure the SBE2011E backup service. The first thing it asked for was the location for the backup. Unfortunately, the TrueCrypt volume was no where in the list. I unmounted and remounted it and I even restarted the computer to no avail. The SBE2011E backup service would not recognize a TrueCrypt volume! Out of frustration, I pointed the backup setup at the drive itself and just like that it reformatted it for it’s own use and in the process destroyed the TrueCrypt volume. This wouldn’t have been all bad, except that there was NO option whatsoever to encrypt the data on the backup drive! I guess this shouldn’t be a surprise since Bit Locker isn’t even an option in SBS2011E!

In today’s world, unencrypted backups are not an option so I disabled the Essentials backup utility. I again created a TrueCrypt volume and then went looking for an alternative backup solution that could cope with TrueCrypt. I quickly settled on Novastor. The program installed easily and recognized the encrypted volume without any problems. Novastor and TrueCrypt seem to be a fine solution for encrypted backups in Essentials. Well, almost! When I tried to login to the Domain from a Windows 7 Pro machine I was still presented with all of the options of SBS2011E’s backup service even though it is disabled. Worse, the Launchpad is displayed on every login and at the top of the list is Backup, but not the NovaStor backup function! I determined that this wold be a very confusing setup to the users since they would expect expect features presented to them to work! Try as I might, I couldn’t figure out a way to disable the backup feature so tightly integrated throughout SBS2011E.

At this point I thought perhaps if we got the more expensive version of SBS server that included Bit Locker we might be better off. Some web research however suggested that even with BitLocker it wasn’t easy to setup an encrypted backup. There was one site that suggested that it could be done, but it was clearly a hack and not a turnkey setup that I could turn over to a client.  At this point I had wasted a lot of time trying to find a solution to a problem that shouldn’t exist in the first place! I was outraged that Microsoft had the audacity to sell software that didn’t offer encrypted backups or at least allow the backups to be written to volumes encrypted with widely used open source encryption software.

Again, I looked at other options. I considered using Windows 7 Pro and a simple Workgroup to host the business app, but was told that it didn’t work efficiently with more than about four connections to the SQL server.  That wasn’t enough for the business so we were stuck. SBS2011E was the right choice and the client just about ready to accept unencrypted backups even though that wasn’t the best thing for their data. Then I had the aha moment!

Why not use a hardware encrypted hard drive for the backup! Eureka! Go to Amazon and there they are. A tad more expensive than a bare eSATA drive but just like that the problem is solved. I opted for an Apricorn Padlock series drive, but Datalocker and others also make products that can meet your needs for bombproof encryption. In retrospect this seems like an easy decision, but I was expecting a software solution so it took me a while to realize that wasn’t the way go in this case.

In summary, if you want to have encrypted backups with SBS2011E or any of the 2008 R2 based server solutions from Microsoft, your best bet is to bite the bullet and buy a hardware encrypted hard drive. To the best of my knowledge, software encryption just doesn’t seem to be a viable option at this time.

I hope this saves some of you a bit of time and frustration. I also hope someone at Microsoft will take note and fix this critical flaw in the SBS2011E backup service. Thanks for reading!

 Update December 7 , 2012

The Apricorn Padlock drive has worked just fine now for over 5 months. I highly recommend the use of hardware encrypted drives as a means of overcoming the shortcomings of the SBS2011E backup utility.