On Wed, 2011-02-09 at 15:15 -0800, Derek Simkowiak wrote: > /> Although I'm not quite sure why you would do full disk encryption on > a running server [...] Are these systems running in a insecure location?/ > > Last year one of my clients in a "secure" Seattle office building > got hit by theft. They lost workstations and laptops. > > But even if your servers are in a 24/7 manned data center, HIPAA or > PCI compliance can require that customer records be kept on encrypted > storage. Consider that a hospital or corporation has absolutely no > control over who the data center hires, and yet, they have liability for > protecting customer privacy. Usually they don't even know the names of > the people who have physical access to the servers, let alone any degree > of control or visibility into when and where those employees are. > > The performance of full-disk encryption is good enough on modern > hardware that I can't see why anyone would ever NOT use encryption. The > one exception being heavily loaded public web servers or large database > servers where the extra disk I/O performance is important and/or there > is no private information kept. > > (Also, it's a selling point for my consulting services. My clients > include some big, high-tech companies. They feel better when I tell > them all their data is stored on encrypted media.) > > > /> ...on a MythTV box/ > > http://www.slashfilm.com/us-copyright-group-sues-20000-individual-movie-torrent-downloaders-lawsuits-targeting-30000-more-are-on-the-way/ > > http://www.betanews.com/article/MPAA-Sues-Grandfather-for-600000/1130957894 > > http://www.broadcastingcable.com/article/102880-MPAA_Sues_Individuals_Over_Swapping.php > > Etc. > > --Derek
I can see that file system encryption would protect you in a smash and grab, but DM-Crypt does not protect information when the server is running and the file system mounted. I would not rely on DM-Crypt for HIPAA or PCI compliance. You need a solution that encrypts the data at rest, not just unmounted or off-line. As for the lawsuits, the court would require that you turn over the encryption keys and/or passwords so there is no protection there. But hey, if you can sell it to your clients, why the hell not. Billable hours are billable hours. -- Bill Thompson [email protected]
signature.asc
Description: This is a digitally signed message part
