Security Basics mailing list archives

Re: Full disk encryption options

From: yann.cloatre () desjardins com
Date: Fri, 16 Jan 2009 14:35:48 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

aragonx () dcsnow com wrote:

This machine is always on.  What I'm trying to protect against is

someone

taking the hardware and then trying to recover the information on it. 
Most of the time, I am remote and there are occasional power outages

(for

which I don't have enough protection).  The machine is set to come

back on

when AC is restored.  Therefore I would need the volumes mounted
automaticly.


I think that we are looking at this from the wrong angle.

It really sounds like this machine needs to be located in a secured
environment, with limited access to the hardware.

In an auditable, secured environment.


I agree, you need to have a physical secure environement to do what you 
want to do.

Or perhaps; why not say : the server is in unsecure environement and i 
want that it come back alone.
Ok, so "don't secure the server", why not use a secure virtual 
environement inside ?
Then, you can restart your virtual server when you want after the physical 
server reboot.
In VM you will ask same questions about how to encrypt some part of the 
OS..., but you can always have a remote access to your virtual serveur.

Yann.


One of the things that I am considering encrypting is the volumes that
store my email (/home and /var).  I think the machine will operate

fine

without /home but /var (for the mail spool) might be an issue.

Especially

since it is my email server.

I like the idea of having another computer store the key.  However,

this

computer would have to be at a remote location.  If someone steals one
computer, they would probably steal them all (at that location).  So

far

this is the best solution I've heard.  Thank you.

---
Will Y.



- --
Rob

+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
|                         _   |
|  ASCII ribbon campaign ( )  |
|   - against HTML email  X   |
|                        / \  |
|                             |
+-=-=-=-=-=-=-=-=-=-=-=-=-=-=-+
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Ignorance is Bliss...

iEYEARECAAYFAkltLjIACgkQcfN68iZZIceagACdGYsu9o1YJ6Zzr2/AZ0IpKBih
xDYAoKtD/9ijA+sY77WUa+95hCBTgR8b
=itlZ
-----END PGP SIGNATURE-----

Current thread:

Full disk encryption options aragonx (Jan 12)
- Re: Full disk encryption options Robin Wood (Jan 12)
  - Re: Full disk encryption options aragonx (Jan 12)
    - Re: Full disk encryption options Robin Wood (Jan 13)
    - Re: Full disk encryption options infolookup (Jan 13)
    - Re: Full disk encryption options Alex Craven (Jan 13)
    - Re: Full disk encryption options aragonx (Jan 13)
    - Re: Full disk encryption options Rob Thompson (Jan 14)
    - Re: Full disk encryption options yann . cloatre (Jan 19)
    - Re: Full disk encryption options Lukasz Szmit (Jan 13)
- Re: Full disk encryption options xgermx (Jan 12)
- Re: Full disk encryption options Rob Thompson (Jan 13)