On 12 January 2011 19:30, Edgar Zapata <[email protected]> wrote: > Thanks Kurt. > I guess that won't do. As far as I know, and based on the tests that we've > been performing, it only provides for a way so in case the disks are > robbed/stolen they won't be readable unless you have a key (stored in a say > removable USB drive). > It won't prevent the system admin from reading the contents of the mails or > even making copies of the .edb and .stm files for later misues. > > We're still searching and testing so I'm open to suggestions. > > Thank you.
Well if you want it for PCI Full disk encryption is fine. The goal is not to prevent the sysadmin to read sensitive data. The goal is to prevent unauthorized people to do so. If you want to prevent every other user except the ones in each email conversation to read the data exchanged, then you should use PGP/GPG or something equivalent. But even then, that won't stop the sysadmin from accessing the corporate desktops/laptop, retrieve the user's private key and then use it to decrypt the emails. You shouldn't try to prevent your sysadmins from accessing sensitive data, he's in charge of your systems and he has control of them. You should trust them, separate their duties where possible and, above all, audit their actions. My 2 cents. -- Cheers, Alex.
