[CALUG] Opinions on whole Disk encryption (for Linux)

David A. Cafaro dac at cafaro.net
Wed Feb 6 15:30:55 EST 2008


Yep, someone brought it to my attention that Version 5 came out.   
Unfortunately whole disk encryption is only supported in Windows, not  
Linux or MacOSx.  They have added a GUI version of the tools for  
Linux though, as well as MacOS as you mentioned.

Still cool, but not my lucky day :-).  Though dm-crypt may have me  
covered.

Cheers,
David


On Feb 6, 2008, at 2:40 PM, P Yasuda wrote:

>
> Might be your lucky day. Truecrypt 5 was released, and it does  
> whole disk encryption now.
>
> And OSX support, finally. Yay!
>
> py
>
> On Feb 4, 2008 2:34 PM, David A. Cafaro <dac at cafaro.net> wrote:
> Thanks all,
>
> Between posts here and a few other groups, I started looking into a
> dm-crypt solution for the server.  Big benefit is that it's already
> in the kernel for RHEL5 which is what we are using.  Setup is going
> to be a pain, but in the end it will be well worth it.
>
> In our case it's very important that if for some reason our servers
> were stolen that the information on disk would be useless to the
> thief.  Confidential data and such.  The images will be running on
> top of a hardware RAID 5 setup.  Also, backups (which are also
> planned) will also be encrypted.  Yes, this put's us at a slightly
> great chance of an unrecoverable error, but it's worth it based on
> the data we need to protect.
>
> Anyways, I'll probably do a full right up once it's all implemented
> to share, it should be interesting.  We haven't had any issues with
> security yet, but I'm all for being ahead of the curve on these kinds
> of things.
>
> Cheers,
> David
>
>
> On Feb 2, 2008, at 11:43 AM, Sean Wilkerson wrote:
>
> > Rob,
> > Your post touches on an important question of why you would go with
> > disk
> > encryption.  Disk encryption is a burden on the system, OS, and
> > administration.  It can frequently be a burden on the user as well
> > (even
> > in the COTS solutions I have seen).  I would expect that if an  
> entity
> > deployed disk encryption, it would be mostly to protect
> > confidentiality,
> > when this exposure would out-weigh the need for availability (as you
> > noticed).
> >
> > Disk/volume encryption has its benefits, and in some cases might  
> be a
> > requirement, but front-end leg work to develop a policy and  
> guidelines
> > for its deployment, use, and mgmt are critical.  With the federal
> > government currently deploying Full-Disk-Encryption on many of its
> > mobile devices, the policies and mgmt are the biggest debates.
> >
> > In a nutshell, if you wish to deploy full-disk-encryption you should
> > first deploy (and test) a backup and recovery solution which works,
> > and
> > ensure you continue to maintain the DR procedure and backups once  
> you
> > integrate the encrypted FS/device.
> >
> > Sorry I can't help more with the original post as to *FOSS*
> > recommendations on full disk encryption, though I am enjoying  
> reading
> > other's experiences.
> >
> > Sean
> >
> >
> > Rob Payne wrote:
> >> I don't want the drag this off topic, but wanted to mention my
> >> experience.  This is probably more of a lesson in the importance of
> >> backing up, but my experience with file vault in OS X left me very
> >> cautious about using disk encryption.
> >>
> >> I experienced a rare instance where I suddenly could do nothing to
> >> interact with the operating system, not even to diagnose the
> >> issue.  In
> >> the end, the only thing I could do was turn off the machine.  The
> >> sparseimage for my home directory was corrupted as a result.  After
> >> weeks of troubleshooting I still could not recover the image and
> >> had to
> >> create a new user account
> >>
> >> Yep, should have backed up regularly.  I guess my point is that  
> power
> >> and operating system issues do happen from time to time and can be
> >> much
> >> more difficult and time consuming to recover from and cause more  
> data
> >> loss (even if you back up) when using disk encryption.
> >>
> >> -Rob
> >>
> >>
>
> David A. Cafaro <dac at cafaro.net>
> Cafaro's Ramblings:  www.cafaro.net
>
>
>
>
> _______________________________________________
> CALUG mailing list
> CALUG at unknownlamer.org
> http://lists.unknownlamer.org/listinfo/calug
>

David A. Cafaro <dac at cafaro.net>
Cafaro's Ramblings:  www.cafaro.net







More information about the CALUG mailing list