> /You need a solution that encrypts the data at rest, not just
unmounted or off-line./
Indeed, once the system boots up with the passphrase, disk
encryption does nothing for you. It can also be easily broken in many
common circumstances:
http://news.cnet.com/8301-13578_3-9876060-38.html
It's just one link in the chain.
/> As for the lawsuits, the court would require that you turn over the
encryption keys and/or passwords so there is no protection there./
In some countries -- like the UK -- that is true. But in the U.S.
we still have (at the time of this writing) a 5th amendment:
http://cyb3rcrim3.blogspot.com/2007/12/court-upholds-using-fifth-amendment-to.html
Of course that is subject to change (see: Habeas Corpus).
TrueCrypt has a plausible deniability feature for such countries:
http://www.truecrypt.org/docs/?s=plausible-deniability
On 02/09/2011 04:08 PM, Bill Thompson wrote:
On Wed, 2011-02-09 at 15:15 -0800, Derek Simkowiak wrote:
/> Although I'm not quite sure why you would do full disk encryption on
a running server [...] Are these systems running in a insecure location?/
Last year one of my clients in a "secure" Seattle office building
got hit by theft. They lost workstations and laptops.
But even if your servers are in a 24/7 manned data center, HIPAA or
PCI compliance can require that customer records be kept on encrypted
storage. Consider that a hospital or corporation has absolutely no
control over who the data center hires, and yet, they have liability for
protecting customer privacy. Usually they don't even know the names of
the people who have physical access to the servers, let alone any degree
of control or visibility into when and where those employees are.
The performance of full-disk encryption is good enough on modern
hardware that I can't see why anyone would ever NOT use encryption. The
one exception being heavily loaded public web servers or large database
servers where the extra disk I/O performance is important and/or there
is no private information kept.
(Also, it's a selling point for my consulting services. My clients
include some big, high-tech companies. They feel better when I tell
them all their data is stored on encrypted media.)
/> ...on a MythTV box/
http://www.slashfilm.com/us-copyright-group-sues-20000-individual-movie-torrent-downloaders-lawsuits-targeting-30000-more-are-on-the-way/
http://www.betanews.com/article/MPAA-Sues-Grandfather-for-600000/1130957894
http://www.broadcastingcable.com/article/102880-MPAA_Sues_Individuals_Over_Swapping.php
Etc.
--Derek
I can see that file system encryption would protect you in a smash and
grab, but DM-Crypt does not protect information when the server is
running and the file system mounted. I would not rely on DM-Crypt for
HIPAA or PCI compliance. You need a solution that encrypts the data at
rest, not just unmounted or off-line. As for the lawsuits, the court
would require that you turn over the encryption keys and/or passwords so
there is no protection there.
But hey, if you can sell it to your clients, why the hell not. Billable
hours are billable hours.
