Re: [Discuss] Full disk encryption

Tue, 03 Jan 2012 05:51:07 -0800 


On Mon, 2 Jan 2012, Tom Metro wrote:


The EFF recently tweeted
(http://twitter.com/#!/EFF/status/153306301965938688):
 @EFF
 Call to action for 2012: full disk encryption on every machine you
 own! Who's with us? eff.org/r.3Ng

Which links to this article:
https://www.eff.org/deeplinks/2011/12/newyears-resolution-full-disk-encryption-every-computer-you-own




We have a dozen or so machines with data supplied on the condition that 
they not be networked and be fully encrypted. They are used 
intermittently and the fear (of the data sources) is they might be stolen.



I don't see much point in encrypting data on a network server - if the 
disk is mounted then the plain-text is available to an intruder and the 
addition of an encrypted version doesn't enhance security. For a 
standalone machine, it does seem to offer us protection against getting in 
trouble with the state of Massachusetts over disclosure of financial data 
should the system be lost or mislaid. That is valuable to us.


We have both Fedora and Windows machines.


The built-in Fedora encryption is no trouble to establish (just check the 
box during installation) and maintain and on a multi-core desktop does not 
affect performance. An update from Fedora 13 to 16 did damage the boot 
record and make the disk unreadable, so I wouldn't try doing an update 
again. For a non-networked machine there isn't much need for updates, 
anyway.



On Windows, we have never used bitlocker, but have good experience with 
Compusec.


  http://www.ce-infosys.com/english/free_compusec/free_compusec.aspx


It is extrememly easy to install and I like the ability to add 
an administrative password in case the user forgets the user password. It 
was not compatible with software RAID.



I have used Truecrypt, but am put off by the documentation, which suggests 
that the primary purpose of encryption is to avoid police inspection. As 
xkcd pointed out, this is hopeless ( http://xkcd.com/538/ ).



In both cases, I would like to see the encryption password (not the login 
password) used to unlock the screen (and reestablish decryption), but this 
does not seem to be available.



My understanding is that the underlying encryption systems make password 
guessing by brute force extremely slow, so that frequent password changes 
are not required, not that all agencies agree.


Daniel Feenberg

_______________________________________________
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss























					Reply via email to