Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: List of Full Disc Encryption products

From: Dereck Martin <dmartin () mixxerinc com>
Date: Thu, 06 Jul 2006 17:45:23 -0400
I prefer this method. It uses loopback encryption. THis is a tutorial for gentoo, but it can be translated for almost any linux system. If done right you get the following.
A system that requires a USB Pen Drive to boot. The USB Pen Drive will contain a GPG key that is used as the passphrase for the AES encryption used for the loop back encryption. This system allows for a complete root file system to be encrypted and only accessed only the fly. All encryption and decryption is done in memory on request. Swap and other partions can be encrypted too. Even if a person has the GPG key and the Hard drive.. one would still have to know the GPGP passphrase. 

This is ideal for laptops and systems that require extra security

http://forums.gentoo.org/viewtopic-t-31363-highlight-disk+encryption+loopaes.html
http://forums.gentoo.org/viewtopic-t-108162-highlight-disk+encryption+loopaes.html

Dereck Martin
Desktop Support
Office: 317-472-9771
Cell: 812-374-2727

www.mixxer.com
                    _/
   _/_/_/  _/_/        _/    _/  _/    _/    _/_/    _/  _/_/
  _/    _/    _/  _/    _/_/      _/_/    _/_/_/_/  _/_/
 _/    _/    _/  _/  _/    _/  _/    _/  _/        _/
_/    _/    _/  _/  _/    _/  _/    _/    _/_/_/  _/



Robertson, Seth (JSC-IM) wrote:

The problem with technologies like EFS which encrypt files and folders
is that several unencrypted copies and fragments are scattered around
the file system to comport to the OS's peculiar implementation.  For
example, temporary recovery files aren't saved to the folders designated
for encryption (e.g., My Documents).  Sure, the intent of letter is to
encrypt data files rather than executables (because the information
which comprises an executable is *typically* not sensitive), and
targeted encryption is a good solution for certain problems (e.g., a
file server which is physically secure, saving files from the laptop to
removable storage or over the network), but I don't think one could
successfully argue that targeted encryption would meet the requirements
of protecting ALL the sensitive data in every place it resides on the
hard drive.  For that particular piece of the puzzle, only full disk
encryption guarantees the encryption of all the data.


Seth Robertson

-----Original Message-----
From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Thursday, July 06, 2006 1:13 PM 
To: Saqib Ali
Cc: security-basics
Subject: RE: List of Full Disc Encryption products

I don't want to argue semantics, but you're wrong. Pure and simple.
Data's data. Program files and operating system files are not data.
Data is stored in files. You can encrypt individual files and folders
and still be in compliance with any federal mandate or guideline.  There
is NO mandate or guideline that says the entire drive must be encrypted.

Again, encrypting hard drives are a good thing, but don't spread FUD.
Let the facts speak for themselves. Encrypting the entire hard drive is
one solution for protecting confidential files, but it isn't the only
solution. And it certainly isn't the only one accepted by law or
mandate.

-----Original Message-----
From: Saqib Ali [mailto:docbook.xml () gmail com]
Sent: Thursday, July 06, 2006 12:28 PM
To: Roger A. Grimes
Cc: security-basics
Subject: Re: List of Full Disc Encryption products

On 7/5/06, Roger A. Grimes <roger () banneretcs com> wrote:
I don't believe your second sentence. Prove me wrong. What mandate says that full hard drive encryption is mandatory versus just encrypting the necessary files and folders? Give me the law and 
subsection.

OK. See:
1) http://digg.com/security/U.S._gov_t_mandates_laptop_security
2) http://www.whitehouse.gov/omb/memoranda/fy2006/m06-16.pdf

Bullet #1 from the PDF reads:
1) Encrypt "all" data on mobile computers/devices which carry agency
data unless the data is determined to be non-sensitive, in writing, by
your Deputy Secretary or an individual he/she may designate in writing;

So encrypting certain files on the laptop will NOT suffice. You have to
encrypt "All Data".

If you are NOT encrypting partial data on the device, you have to get an
written exception from the Deputy Secretary.



--
Saqib Ali, CISSP, ISSAP
Support http://www.capital-punishment.net
-----------
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15
-----------

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 
http://www.sensepost.com/training.html
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: 
http://www.sensepost.com/training.html
---------------------------------------------------------------------------



---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: 
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: