Encrypting an Exchange Database While the Database Is in Use

Are there any products that can encrypt an Exchange database while the database is in use?

Yes. In fact, one such product is included in Windows 2000 and later: Windows Encrypting File System (EFS) lets you encrypt folders or volumes, including folders or volumes that contain Exchange data. Although I can't find any official statement from Microsoft that says it supports EFS with Exchange, EFS is supported with Microsoft SQL Server, and in my experience it seems to work fine with Exchange. However, be aware that using EFS encryption and decryption can add a significant performance penalty. A variety of third-party products provide disk-, volume-, or folder-level encryption in hardware or software, although I don't know of any that have been tested with Exchange.

Before deploying EFS or a third-party product, you should examine why you want to encrypt Exchange databases. If you're trying to protect individual mail items, you can probably get adequate protection from a combination of Secure MIME (S/MIME) encryption and the Windows Rights Management Service (RMS) toolset (depending on the threat model you face). If you want to protect messages in transit, the Transport Layer Security (TLS) encryption functionality built into Exchange's SMTP server will be useful. If your goal is to protect your server from compromise by someone who gets physical access to the server, you should make sure that your existing physical security measures are adequate before employing encryption. Don't forget to provide protection for your backup media, too; ideally, you should be using a combination of physical security and encryption to make sure that tapes are protected.