Full Disk Encryption - Xen, Windows and Linux? 49
Bofh To asks: "I'm in an industry that, more or less, requires full disk encryption, and to accomplish this, we use Pointsec on Windows. For the past 8 years, I've been running Linux on my work laptop, and this is the first time I'm running in a Windows only environment. I am interested in changing that, because I want to use Linux as my main platform, and only drop in to Windows when necessary (and use crossover if at all possible). I'm also interested in Xen, and would like to see if I can use that to virtualize Windows under Linux. My thought is that, as long as Pointsec is in dom0 and I use virtual disks for the Windows VM, I should be covered. The problem is that I'd also like a machine that is usable, as opposed to waiting endlessly as the virtual memory, virtual machine, pointsec, and xen all thrash around while I'm working on the machine. Has anyone used Pointsec for Linux, with Xen? "
Look at dm-crypt (Score:4, Informative)
Re: (Score:3, Interesting)
I use it on my swap and
Normal reading/writing load is ok, but doing something like an rsync backup kills responsiveness.
It seems to get a bit better if I renice kcryptd and kjournald. Any experience w
Re: (Score:3, Informative)
From the dm-crypt faq: [saout.de]
Q: My system hangs for some time in regular intervals when writing to encrypted disks.
A: You are probably using Linux 2.6.4. Du to the introduction of kthread pdflush is running at nice level -10,
Re: (Score:2)
Re:Look at dm-crypt (Score:5, Informative)
To the original poster:
I think this is one of those 'suck it and see' situations. Processors are getting faster all the time. Disks are getting faster too, especially solid state drives. So the trade offs between different performance areas are changing all the time. Eg today you might notice the crypto delays, tomorrow you might not because you essentially have a dedicated core doing disk crypto.
Last year I ran tests with Pointsec for a different situation and it was pretty good with a flash drive. Not _quite_ as good as a FDE competitor but not far off. This wasn't on a fancy new laptop with decent dual core processor either. For these tests I got a free eval copy of Pointsec. They were nice, helpful guys when I spoke with them, perhaps you could get an eval copy too.
Another alternative is a hardware solution such as Flagstone from Stonewood. Full hard drive speed and full OS compatibility.
Re:Look at dm-crypt (Score:5, Informative)
As is the proposed dm-crypt configuration. In both cases you have a small unencrypted boot section containing no sensitive data and everything else is encrypted.
The only difference from a security perspective is that you can't audit Pointsec.
Re: (Score:2)
Re: (Score:3, Informative)
Re: (Score:2)
Yes, but isn't it irrelevant plain text? What does it have to do with the encrypted data? It's just a compiled public algorithm, isn't it?
Maybe I'm missing something.
At some point something has to be plain text. You can't have everything encrypted without something being unencrypted and runnable (even if it's in a chip or in the boot sector).
Re: (Score:3, Interesting)
With Pointsec only the MBR plus a couple of other sectors are unencrypted. There is no small partition in plain text which is what I understand dm-crypt to be. Please correct me if I'm wrong.
You're correct, but the difference is irrelevant: it doesn't matter if it's a few KB or a few MB that is unencrypted, the key is that all of the functional system and its data is encrypted, including all swap.
Actually, dm-crypt and Linux can do one thing that Pointsec, AFAIK, does not do, which is to take advantage of a TPM-enabled machine. Given a TPM, TPM-enabled BIOS, TPM-enabled GRUB and Linux kernel, you can bind a portion of the master decryption key to the boot state, ensuring that any attempt
Re: (Score:2)
As for the auditing, I would take closed source but CAPS (or similar) approved[1] over open source non-CAPS. Because it _has_ been audited as part of the approval process. Of course, at this level the rubber hose hack is the best way of getting to the data.
I don't know about the TPM side of things.
Cheers
[1] By CAPS approved I'll take the 'commerical' version of a product certified for classified data use. In other wor
looking forward to replies on this one (Score:3, Interesting)
I kind of like the roll your own approach to the Linux full disk encryption scenario, but most large organizations balk at anything thats not a commercial solution
Re: (Score:1)
As to virtualization, I use VMware to run Windows under Linux.
Debian's new installer is spiffy (Score:4, Informative)
It's amazingly simple to use, and great for laptops. (I'm running it on my dual-core laptop)
Check it out: http://www.us.debian.org/CD/ [debian.org]
Re: (Score:3, Interesting)
if it gets it from somewhere else but it is read by the kernel in /boot that's also no good because the kernel could be replaced.
If you're protecting against theft having an unencrypted kernel read the password is fine. But if you're protecting against theft why both with full disk encryption; why not just encrypt specific files or use a virtual encrypted drive like TrueCrypt?
The main reason for full disk encryption instead of alternatives is that it makes it impossible to modify any part of the operating system while the machine is offline; so you can have a system running in an insecure envir
Re: (Score:2)
Full disk encryption is convenient security. It is seamless and the pe
Re: (Score:2)
Carrying
These questions always make me smile... (Score:2, Insightful)
Re: (Score:2)
Re: (Score:3, Insightful)
If you're talking a thousand or so employees or less, you have about a dozen or so IT guys, so you head over to where they take lunch and you shoot the shit with them, and they can probably agree it would be cool to look at solution X on Linux.
If you're talking an outfit with a thousand or so IT guys, then the answers are likely to be preprogrammed unless you can get to somebody high enough. Even then they're going to be more interested in keeping their headaches minimized than making
Re: (Score:1)
Re: (Score:1)
Compusec by CE-Infosys (Score:1)
gordon freeman approves... (Score:5, Funny)
I'm not sure about that, but I'm sure Xen would be a great place to store backups to keep them from prying eyes. [wikipedia.org] Who needs encryption when you have a low-gravity parallel dimension as a safe-deposit box?
Have you considered Pointsec on Linux? (Score:3, Informative)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
to all the people advocating dm-crypt (Score:2)
Alex
Do you really need full hard disk encryption? (Score:2)
Known plaintext attack on encryption (Score:3, Interesting)
attack.
Re: (Score:1)
Known plaintext is when someone tells you here are is 64 bits of ciphertext (i.e. from DES), and then also gives you the 64 bits
Re: (Score:2)
Is there any way of deliberately fragment a disk duri
I wish FDE were more common with UNIXs (Score:1)
BestCrypt (Score:2)
Xen + Encryption + LVM + RAID on Debian (Score:2)
It is probably more than you are looking for, since it doesn't sound like you want RAID. But that part is easily skipped. The LVM part I would keep, as logical volumes will make managing the virtual machines that much easier.
Actually, a lot of this (the LVM and encryption parts) should be doable from the Debian 4.0 installer.