Hi Ronald,

Many thanks for the reply.

This is great information - thank you!

Tim

Confirming that Amazon RDS for SQL Server is supported for Laserfiche applications. The only exception is Laserfiche Discussions due to its requirement for the SQL FILESTREAM feature, which RDS does not support. 

We have a number of customers who have run their production Laserfiche databases on RDS for several years at this point. RDS offers storage encryption separate from the Enterprise edition-only TDE feature so you can save a fair amount on SQL licensing costs by going with Standard edition.

My client is keen to use encryption at rest.  Laserfiche recommends not to do so.  Can you please say why?  Is there a performance impact?  If so can you quantify it?  thanks!

I don't believe it's accurate to say that we recommend against encryption at rest. Where did you read that? What you might have seen is that we have deprecated encrypted volumes and instead we encourage admins to set up encryption at the file system level.

My client is keen to use encryption at rest.  Laserfiche recommends not to do so. 

I want to reiterate that this is categorically not true. If you're aware of any official Laserfiche resources stating we do not recommend encrypting data at rest, please let us know what they are so we can remove or correct them.

As Brian mentioned, there is a deprecated "encrypted volumes" feature we don't recommend you use, but even that page outright states:

We recommend the use of alternative full-featured encryption systems to secure your Laserfiche data on disk.

You asked three related questions though another channel, which I'll publicly answer here for the benefit of the community:

1. Does Laserfiche have other clients who use encryption at rest?
   1. Yes. A significant proportion of Laserfiche customers use encryption at rest with their self-hosted Laserfiche systems. The vast majority of those use some form of Full Disk Encryption. A small minority use file-based encryption. 
       
2. The Laserfiche guidance is to use a third party tool – can you say why? 
   1. Because Laserfiche does not have native encryption capabilities at the application layer. Therefore, you must apply encryption at rest at the file system and/or underlying storage (virtual/physical disk, SAN, etc.) layers. As those are not within Laserfiche software's ability to control, you must use applicable 3rd party tools.
       
3. Are there any tools Laserfiche know work well with Laserfiche?
   1. We generally recommend using Full Disk Encryption (FDE) unless there is a specific and compelling requirement for file-level encryption. FDE tends to be a native capability of operating systems and virtualization platforms that often requires nothing more than a checkbox to enable. File-level encryption is more complicated to set up, can require new 3rd party tools you'd have to purchase, and adds some performance overhead.
       
   2. The specific FDE options you have available are determined by your infrastructure. Some examples are Microsoft Bitlocker and VMware Virtual Disk Encryption. AWS and Azure both have native disk encryption capabilities. Nearly all new SANs these days have some form of storage encryption.
       
   3. For File-level Encryption, the most straightforward (and free) option is the Encrypting File System feature native to Windows for NTFS file systems. Be very, very careful about how you implement the certificate/key management and backup for EFS because if that goes wrong you lose access to your repository volume data forever. 
      There are also commercial solutions like Thales CipherTrust Transparent Encryption.
      
      Note that Microsoft themselves say on the EFS page: "Typically, the access control to file and directory objects provided by the Windows security model is sufficient to protect unauthorized access to sensitive information. However, if a laptop that contains sensitive data is lost or stolen, the security protection of that data may be compromised. Encrypting the files increases security."
      
      Full disk encryption adequately protects against the "stolen drive" case, so you're adding significant additional complexity with file-level encryption for often questionable benefit. 

This is the help file reference that recommends against volume encryption for active volumes:


https://doc.laserfiche.com/laserfiche.documentation/11/administration/en-us/Default.htm#../Subsystems/LFAdmin/Content/Encrypted_Secured_Volumes.htm

Many thanks Sam, that is very helpful.

Nigel, that link is for the aforementioned deprecated "Laserfiche volume encryption" / "Encrypted Volumes" feature. It's supposed to be a technical reference we keep available for anyone who might still be using that from an older version, plus a place to display the feature usage warnings and recommendation to use an alternative encryption method.

Do you have customers or prospects finding that page and misunderstanding it? If so, we should perhaps put a banner at the top clarifying the matter.