[TriLUG] Opinions on whole Disk encryption (for Linux)

James Tuttle jjtuttle at trilug.org
Fri Feb 1 13:27:32 EST 2008 

Hi David,

You can see what I've written about configuring and using LVM and
dm-crypt at http://www.braggtown.com/blog/tag/encryption/  So everything
except a 500 MB boot partition is encrypted with AES 256 on my machines.

I don't know anything about Red Hat since version 9 so I can't comment
on what's built-in, but this was all included in Ubuntu.  It was
ridiculously easy, actually.  I've done the same setup on 2 desktops and
2 laptops and haven't noticed any overhead issues, but I'm not running
an enterprise server.

One thing that might be problematic is that you can't remote reboot.
You probably know that, but it's a pain.  I sure would love to be able
to SSH into a tiny shell to enter my password and decrypt the system.

I used loop-AES on Suse 9 with ReiserFS and hated it.  I actually paid
Hans $25 to remote in and try to recover my FS.  No luck.  Incidentally,
that's when I started really prioritizing backups.

Jim

David A. Cafaro wrote:
> Ok, I wanted to solicit any experience/opinions on whole disk  
> encryption.
> 
> I will be implementing some form of whole disk encryption on a new  
> server being setup.  I've already double the hardware (cpu/memory) to  
> help deal with the extra load that will be generated.
> 
> The idea is that on boot the system will start the encryption/ 
> decryption process.  When shutdown, the server will stop the  
> process.   This way if for some reason the server is stolen (or a HD  
> fails and must be sent off for repairs/replacement) there is no fear  
> of the data being exposed.
> 
> I've started looking at loop-AES, but was curious if anyone else has  
> any experience with other solutions or this solution.
> 
> OpenSource/Free is preferred, and something that doesn't involve  
> messing with the kernel besides loading modules is required.  Ideally  
> it would be built in to my distribution already and just require  
> setup/tweaking.  The OS will be RHEL5.
> 
> Thanks,
> David
> 
> 
> 


-- 
--
---Jim Tuttle
------------------------------------------------------
http://www.braggtown.com
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x69B69B08

More information about the TriLUG mailing list