Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Full disk encryption




On Mon, 2 Jan 2012, Tom Metro wrote:

> The EFF recently tweeted
> (http://twitter.com/#!/EFF/status/153306301965938688):
>  @EFF
>  Call to action for 2012: full disk encryption on every machine you
>  own! Who's with us? eff.org/r.3Ng
>
> Which links to this article:
> https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own
>

We have a dozen or so machines with data supplied on the condition that 
they not be networked and be fully encrypted. They are used 
intermittently and the fear (of the data sources) is they might be stolen.

I don't see much point in encrypting data on a network server - if the 
disk is mounted then the plain-text is available to an intruder and the 
addition of an encrypted version doesn't enhance security. For a 
standalone machine, it does seem to offer us protection against getting in 
trouble with the state of Massachusetts over disclosure of financial data 
should the system be lost or mislaid. That is valuable to us.

We have both Fedora and Windows machines.

The built-in Fedora encryption is no trouble to establish (just check the 
box during installation) and maintain and on a multi-core desktop does not 
affect performance. An update from Fedora 13 to 16 did damage the boot 
record and make the disk unreadable, so I wouldn't try doing an update 
again. For a non-networked machine there isn't much need for updates, 
anyway.

On Windows, we have never used bitlocker, but have good experience with 
Compusec.

   http://www.ce-infosys.com/english/free_compusec/free_compusec.aspx

It is extrememly easy to install and I like the ability to add 
an administrative password in case the user forgets the user password. It 
was not compatible with software RAID.

I have used Truecrypt, but am put off by the documentation, which suggests 
that the primary purpose of encryption is to avoid police inspection. As 
xkcd pointed out, this is hopeless ( http://xkcd.com/538/ ).

In both cases, I would like to see the encryption password (not the login 
password) used to unlock the screen (and reestablish decryption), but this 
does not seem to be available.

My understanding is that the underlying encryption systems make password 
guessing by brute force extremely slow, so that frequent password changes 
are not required, not that all agencies agree.

Daniel Feenberg




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org