Encrypted Backup with Microsoft Small Business Server

Posted · 6 Comments

Update May 28, 2014

The Truecrypt website is in a state of flux. We do NOT recommend using Truecrypt at this time. Please check back often until we have more clarity on the Truecrypt situation.

Original Post

The last month or so I’ve been helping a local small business solve some IT issues. They are a Windows only shop and needed to move to a client server setup to support a particular business application to improve their work flow.

Microsoft’s Small Business Server 2011 Essentials (SBS2011E) was the most cost effective platform that met the requirements of their niche’ business application. I installed a trial version on a server that I put together using some spare parts that I had leftover from my work experimenting with a GPU workstation build last fall. The base computer used an Asus motherboard, an AMD Phenom II X6 6-core CPU, 16 GB ECC RAM, an nVidia NVS300 graphics card, and an nVidia Edition Cooler Master case. The vendor of the business app recommended using a RAID server so I added a 3Ware 9650SE 8-port hardware RAID card. I configured it to use RAID 10 with four Western Digital enterprise grade 7200 RPM 1 Terabyte drives. Overall, a nice looking and very capable system that didn’t break the bank.

Installation of SBS2011E was very straightforward, but be aware that it insists on taking the primary hard drive all to itself and it will format the entire drive for it’s own use. Not what I’d call user friendly, but the assumption is that you’re only using SBS2011E on the machine so it seems a reasonable choice. Also, be sure to set a computer name and domain name that you like since you can’t change it later. Lastly, note that you can only use a Domain with SBS2011E. You’ll need to look elsewhere if you need a Workgroup type solution.

If you look at the product matrix of the SBS 2011 family you will notice that SBS2011E includes a nice backup option that isn’t present in SBS 2011 Standard even though the latter is more expensive. SBS2011E doesn’t include Bit Locker disk encryption like the more expensive server options, but we had already already standardized on TrueCrypt for workstations and notebook computers. We figured that TrueCrypt would be a good option for the server too. Indeed, I’m pleased to report that TrueCrypt works nicely with SBS2011E and encrypting the system drive on the fly after installation was as fast and easy. If you’re a Windows user and need encryption it’s hard to beat TrueCrypt.

After the system disk was encrypted I proceeded to create an encrypted volume on a 2 TB hard drive connected via an e-Sata dock. I intended to use this drive as removable backup storage. Once the encryption completed I mounted the drive and then attempted to configure the SBE2011E backup service. The first thing it asked for was the location for the backup. Unfortunately, the TrueCrypt volume was no where in the list. I unmounted and remounted it and I even restarted the computer to no avail. The SBE2011E backup service would not recognize a TrueCrypt volume! Out of frustration, I pointed the backup setup at the drive itself and just like that it reformatted it for it’s own use and in the process destroyed the TrueCrypt volume. This wouldn’t have been all bad, except that there was NO option whatsoever to encrypt the data on the backup drive! I guess this shouldn’t be a surprise since Bit Locker isn’t even an option in SBS2011E!

In today’s world, unencrypted backups are not an option so I disabled the Essentials backup utility. I again created a TrueCrypt volume and then went looking for an alternative backup solution that could cope with TrueCrypt. I quickly settled on Novastor. The program installed easily and recognized the encrypted volume without any problems. Novastor and TrueCrypt seem to be a fine solution for encrypted backups in Essentials. Well, almost! When I tried to login to the Domain from a Windows 7 Pro machine I was still presented with all of the options of SBS2011E’s backup service even though it is disabled. Worse, the Launchpad is displayed on every login and at the top of the list is Backup, but not the NovaStor backup function! I determined that this wold be a very confusing setup to the users since they would expect expect features presented to them to work! Try as I might, I couldn’t figure out a way to disable the backup feature so tightly integrated throughout SBS2011E.

At this point I thought perhaps if we got the more expensive version of SBS server that included Bit Locker we might be better off. Some web research however suggested that even with BitLocker it wasn’t easy to setup an encrypted backup. There was one site that suggested that it could be done, but it was clearly a hack and not a turnkey setup that I could turn over to a client.  At this point I had wasted a lot of time trying to find a solution to a problem that shouldn’t exist in the first place! I was outraged that Microsoft had the audacity to sell software that didn’t offer encrypted backups or at least allow the backups to be written to volumes encrypted with widely used open source encryption software.

Again, I looked at other options. I considered using Windows 7 Pro and a simple Workgroup to host the business app, but was told that it didn’t work efficiently with more than about four connections to the SQL server.  That wasn’t enough for the business so we were stuck. SBS2011E was the right choice and the client just about ready to accept unencrypted backups even though that wasn’t the best thing for their data. Then I had the aha moment!

Why not use a hardware encrypted hard drive for the backup! Eureka! Go to Amazon and there they are. A tad more expensive than a bare eSATA drive but just like that the problem is solved. I opted for an Apricorn Padlock series drive, but Datalocker and others also make products that can meet your needs for bombproof encryption. In retrospect this seems like an easy decision, but I was expecting a software solution so it took me a while to realize that wasn’t the way go in this case.

In summary, if you want to have encrypted backups with SBS2011E or any of the 2008 R2 based server solutions from Microsoft, your best bet is to bite the bullet and buy a hardware encrypted hard drive. To the best of my knowledge, software encryption just doesn’t seem to be a viable option at this time.

I hope this saves some of you a bit of time and frustration. I also hope someone at Microsoft will take note and fix this critical flaw in the SBS2011E backup service. Thanks for reading!

 Update December 7 , 2012

The Apricorn Padlock drive has worked just fine now for over 5 months. I highly recommend the use of hardware encrypted drives as a means of overcoming the shortcomings of the SBS2011E backup utility.

6 Responses to "Encrypted Backup with Microsoft Small Business Server"
  1. b says:

    Are you sure that the server you were installing it on didn’t have a TPM chip?
    As SBS Essentials will support bitlocker.

    • JR says:

      I didn’t have a TPM on the server.

      This link: http://technet.microsoft.com/en-us/library/gg637871.aspx suggests it is possible to use bitlocker but if you look at the note at the bottom of the page that reads:

      You can back up a source volume that is encrypted with BitLocker. However, if you restore the backup to your server, it is restored without BitLocker encryption. You must manually enable BitLocker on the restored volume.

      If the backup target volume is encrypted with BitLocker, you must disable BitLocker before you can back up to the volume. If you reenable BitLocker after the backup, and you need to restore it from the encrypted volume, you must disable BitLocker before you can restore the backup.

      You will see that backup with Bitlocker isn’t a very good option.

  2. B says:

    You can also do bitlocker with a usb flash drive, but then try rebooting the box for maintenance.
    IMHO bitlocker is way better suited for laptops, not so for Servers. With servers you want folders encrypted. Not the entire thing.

    I already know that bitlocker isn’t the greatest thing for servers. I’m just saying you said that SBS Essentials doesn’t support Bitlocker and indeed it does. It’s just not the right tool for the job you needed to do.

    • JR says:

      If found it quite confusing to sort out what is included, what is supported, what you can add-on, and which functions require CALs or CDLs, and what actually works on the various MS Server products. I’m sorry if that confusion bled into the post.

      That said, you are correct that Bit-locker is supported on SBS2011E. However, it’s not apparent to me that Bitlocker is included in the purchase price. As you say, even if it is, it still doesn’t offer a good solution for making encrypted backups.

      Thanks for your input!

  3. Tinyurl.com says:

    I really Think blog post, “Encrypted Backup with
    Microsoft Small Business Server | Security Beacon” was fantastic!
    I actuallycould not see eye to eye along with u more!
    At last looks like Iidentified a blog truly worth reading
    through. Thanks for your time, Chi

Leave a Reply