Please, put down your flamethrowers. This is NOT a flame bait.
We need to set up a secure fileserver,
one that will resist unauthorized access to company information,
even in the event that the server's hard disks or the server itself
is physically compromised (ie. stolen and physically moved to a place
where the attacker has the luxury of time to try to crack the files at will).
I know this is impossible, but a reasonably secure fileserver
that uses an encrypting file system can make cracking difficult, costly
and time-consuming enough that in effect puts a barrier to any cracking
efforts. For example, to brute-force decrypt the files in the encrypting
filesystem, the cracker will need a server farm worth $50k and
it will take 4 weeks of his time. This is probably security we can live with.
I asked Mr. Google about encrypting filesystems on linux, and, I found none.
What I found were instructions on how to recompile the kernel to add the Linux
Crypto API, then create a loopback device that points to an encrypted file.
Or something like that. This is too-non-standard for our meager IT capabilities,
I'm not sure if we can support a setup like this.
On the other hand, over at the dark side of the world, there's the encrypting file system in
Windows 2003, probably the same one that came with Windows XP. It's pretty simple
to use: right-click, click properties, click 'Advanced', then check the 'encrypt' button. done.
Again, no flames, please. No ideologies, either. I understand GPL.
This is not a file format we're embracing, just a fileserver. It won't tie us up
with the evil empire, we can move to Samba anytime (except that sayang yung $1000+ namin,
and we lose the crypto capabilities). IIS Insecurity is also irrelevant here. We're only going to use
Win2003 as a PDC and a file server.
I'm looking for replies along the lines of:
1. Windows 2003 crypto isn't strong enough. It's puny 40-bit encryption that can be cracked by
a P4 2GHz in half a day. It's almost useless.
2. Setting up and supporting a encrypting linux filesystem isn't that hard, many people have been there
and done that, and you'll find plenty of support in case you get into trouble. For less than the license price
you'll gove to M$, you can get quality training at [name-of-really-good-training-center-here].
3. It's ok. Don't feel guilty. M$ wins this one. But not for long. Wait for features like this in ext7 around 2006.
stp, Radamanthus Batnag
-- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
