[CALUG] Opinions on whole Disk encryption (for Linux)
David A. Cafaro
dac at cafaro.net
Wed Feb 6 15:30:55 EST 2008
Yep, someone brought it to my attention that Version 5 came out.
Unfortunately whole disk encryption is only supported in Windows, not
Linux or MacOSx. They have added a GUI version of the tools for
Linux though, as well as MacOS as you mentioned.
Still cool, but not my lucky day :-). Though dm-crypt may have me
covered.
Cheers,
David
On Feb 6, 2008, at 2:40 PM, P Yasuda wrote:
>
> Might be your lucky day. Truecrypt 5 was released, and it does
> whole disk encryption now.
>
> And OSX support, finally. Yay!
>
> py
>
> On Feb 4, 2008 2:34 PM, David A. Cafaro <dac at cafaro.net> wrote:
> Thanks all,
>
> Between posts here and a few other groups, I started looking into a
> dm-crypt solution for the server. Big benefit is that it's already
> in the kernel for RHEL5 which is what we are using. Setup is going
> to be a pain, but in the end it will be well worth it.
>
> In our case it's very important that if for some reason our servers
> were stolen that the information on disk would be useless to the
> thief. Confidential data and such. The images will be running on
> top of a hardware RAID 5 setup. Also, backups (which are also
> planned) will also be encrypted. Yes, this put's us at a slightly
> great chance of an unrecoverable error, but it's worth it based on
> the data we need to protect.
>
> Anyways, I'll probably do a full right up once it's all implemented
> to share, it should be interesting. We haven't had any issues with
> security yet, but I'm all for being ahead of the curve on these kinds
> of things.
>
> Cheers,
> David
>
>
> On Feb 2, 2008, at 11:43 AM, Sean Wilkerson wrote:
>
> > Rob,
> > Your post touches on an important question of why you would go with
> > disk
> > encryption. Disk encryption is a burden on the system, OS, and
> > administration. It can frequently be a burden on the user as well
> > (even
> > in the COTS solutions I have seen). I would expect that if an
> entity
> > deployed disk encryption, it would be mostly to protect
> > confidentiality,
> > when this exposure would out-weigh the need for availability (as you
> > noticed).
> >
> > Disk/volume encryption has its benefits, and in some cases might
> be a
> > requirement, but front-end leg work to develop a policy and
> guidelines
> > for its deployment, use, and mgmt are critical. With the federal
> > government currently deploying Full-Disk-Encryption on many of its
> > mobile devices, the policies and mgmt are the biggest debates.
> >
> > In a nutshell, if you wish to deploy full-disk-encryption you should
> > first deploy (and test) a backup and recovery solution which works,
> > and
> > ensure you continue to maintain the DR procedure and backups once
> you
> > integrate the encrypted FS/device.
> >
> > Sorry I can't help more with the original post as to *FOSS*
> > recommendations on full disk encryption, though I am enjoying
> reading
> > other's experiences.
> >
> > Sean
> >
> >
> > Rob Payne wrote:
> >> I don't want the drag this off topic, but wanted to mention my
> >> experience. This is probably more of a lesson in the importance of
> >> backing up, but my experience with file vault in OS X left me very
> >> cautious about using disk encryption.
> >>
> >> I experienced a rare instance where I suddenly could do nothing to
> >> interact with the operating system, not even to diagnose the
> >> issue. In
> >> the end, the only thing I could do was turn off the machine. The
> >> sparseimage for my home directory was corrupted as a result. After
> >> weeks of troubleshooting I still could not recover the image and
> >> had to
> >> create a new user account
> >>
> >> Yep, should have backed up regularly. I guess my point is that
> power
> >> and operating system issues do happen from time to time and can be
> >> much
> >> more difficult and time consuming to recover from and cause more
> data
> >> loss (even if you back up) when using disk encryption.
> >>
> >> -Rob
> >>
> >>
>
> David A. Cafaro <dac at cafaro.net>
> Cafaro's Ramblings: www.cafaro.net
>
>
>
>
> _______________________________________________
> CALUG mailing list
> CALUG at unknownlamer.org
> http://lists.unknownlamer.org/listinfo/calug
>
David A. Cafaro <dac at cafaro.net>
Cafaro's Ramblings: www.cafaro.net
More information about the CALUG
mailing list