Security Basics mailing list archives
Re: Full disk encryption options
From: yann.cloatre () desjardins com
Date: Fri, 16 Jan 2009 14:35:48 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 aragonx () dcsnow com wrote:This machine is always on. What I'm trying to protect against is
someone
taking the hardware and then trying to recover the information on it. Most of the time, I am remote and there are occasional power outages
(for
which I don't have enough protection). The machine is set to come
back on
when AC is restored. Therefore I would need the volumes mounted automaticly.I think that we are looking at this from the wrong angle. It really sounds like this machine needs to be located in a secured environment, with limited access to the hardware. In an auditable, secured environment.
I agree, you need to have a physical secure environement to do what you want to do. Or perhaps; why not say : the server is in unsecure environement and i want that it come back alone. Ok, so "don't secure the server", why not use a secure virtual environement inside ? Then, you can restart your virtual server when you want after the physical server reboot. In VM you will ask same questions about how to encrypt some part of the OS..., but you can always have a remote access to your virtual serveur. Yann.
One of the things that I am considering encrypting is the volumes that store my email (/home and /var). I think the machine will operate
fine
without /home but /var (for the mail spool) might be an issue.
Especially
since it is my email server. I like the idea of having another computer store the key. However,
this
computer would have to be at a remote location. If someone steals one computer, they would probably steal them all (at that location). So
far
this is the best solution I've heard. Thank you. --- Will Y.- -- Rob +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ | _ | | ASCII ribbon campaign ( ) | | - against HTML email X | | / \ | | | +-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Ignorance is Bliss... iEYEARECAAYFAkltLjIACgkQcfN68iZZIceagACdGYsu9o1YJ6Zzr2/AZ0IpKBih xDYAoKtD/9ijA+sY77WUa+95hCBTgR8b =itlZ -----END PGP SIGNATURE-----
Current thread:
- Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 12)
- Re: Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 13)
- Re: Full disk encryption options infolookup (Jan 13)
- Re: Full disk encryption options Alex Craven (Jan 13)
- Re: Full disk encryption options aragonx (Jan 13)
- Re: Full disk encryption options Rob Thompson (Jan 14)
- Re: Full disk encryption options yann . cloatre (Jan 19)
- Re: Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 12)
- Re: Full disk encryption options Lukasz Szmit (Jan 13)