Hard Drive Encryption
-
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
At the point is the OS really that important? If the data volume is encrypted at rest then who cares about the OS which would be generally the same on all the machines? Or does having the OS unecrypted introduce a new attack vector that wouldn't exist if it was encrypted like the data?
-
If someone gets access to the OS there is a chance of gathering data about the system(s) and to get cached credentials to use for offline unencryption attacks.
-
@scottalanmiller said:
@bsouder said:
I had thought about that for workstations or servers. What do you do for laptops though. Would partitioning the drive be a good solution then? Leave the OS partition unencrypted, and then encrypt the data partition?
Yes, same there in most cases. If you do the full drive you create SO MUCH work for yourself. But if you don't, then the OS is at risk in case the system is stolen. All about balancing effort and security.
I was going to suggest the same thing. My primary device is a laptop with a 500GB drive. I had planned on Dual Booting it; Win 7, Linux, but also wanted a data partition that was accessible to both.
I've used this scheme for a long time. Not always to dual boot but it was the mindset that the data was more important than the OS.. I could toast the OS and not worry about my data UNLESS there was a physical hard drive failure. Which do happen.
Even though many programs default to the OS drive for data, you can modify the registry or program settings to use the data vol and not the OS vol.
TrueCrypt and it's newer variant do wonderful encryption, however if you are having to comply with FIPS 140 - than TrueCrypt doesn't comply. Bitlocker does, as does may others.
-
Doesn't any company offer encryption at the disk or BIOS level? That combined with iLO or the equivalent would do the trick no?
-
Seagate used to have disk level, yes. Not sure how that works in RAID.
-
Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.
-
@Nic said:
Good point - I guess you'd have to put the encryption in the RAID controller, but that would be a recipe for disaster.
Not that bad. Little different than having it in the OS.
-
As long as they have good tools to decrypt in case of a hardware failure.
-
@Nic said:
As long as they have good tools to decrypt in case of a hardware failure.
Same issues that you have with OS failure or drive failure. Wherever you encrypt you have to be really confident that it won't fail or have a solid recovery method. With a RAID controller, it could be stored both in the controller and on the disk the same way that RAID configuration is.
-
@scottalanmiller said:
Seagate used to have disk level, yes. Not sure how that works in RAID.
Several vendors offer drive level encryption - but like you said, with a RAID controller, the controller would have to know how to take the passwords and pass it along to the drives during boot. So you'd still need iLo for remote work. This is something you'll probably never have on a regular workstation.
-
Another problem with just encrypting the data is forcing all of the data to the right location.
By default Word stores it's files on the C:\users\usernname\documents directory, well that's on the drive - so now you either have to move the profiles (a problem) or the user has to REMEMBER to put the data in the right place. Also, what about the PageFile? or other temporary files? If you really need to encrypt a system, not encrypting the whole thing seems unlikely to cover everything you're trying to protect.
That said, of course encrypted systems are a huge pain to support.
-
@Dashrender said:
@scottalanmiller said:
Seagate used to have disk level, yes. Not sure how that works in RAID.
Several vendors offer drive level encryption - but like you said, with a RAID controller, the controller would have to know how to take the passwords and pass it along to the drives during boot. So you'd still need iLo for remote work. This is something you'll probably never have on a regular workstation.
iLO doesn't solve the problem. The RAID controller must handle it. ILO would only give you visibility into a failed system otherwise.
-
iLo won't let you see what's on screen so you can type in a password?
When I was talking about iLo I was referring to the fact that the RAID controller could possibly pass the password prompt request back to the screen for the user to answer.
Having The RAID controller store the passwords internally would be find, as long as the RAID controller won't do so until after YOU/Admin type in the RAID controller unlock code.
-
@Dashrender said:
iLo won't let you see what's on screen so you can type in a password?
Of course it does, but the RAID controller has to put things on the screen. The disks don't talk to the computer directly. That's what RAID does, 100% encapsulation.
-
@Dashrender said:
When I was talking about iLo I was referring to the fact that the RAID controller could possibly pass the password prompt request back to the screen for the user to answer.
Yes, if the RAID does that. But that is not a natural component of RAID.
-
If you absolutely need to keep things easy for them, AKA do everything including wiping, then you need an out of band solution.
Try a KVM over IP.
http://www.lantronix.com/it-management/kvm-over-ip/spider.html
http://www.blackbox.com/Store/Detail.aspx/ServSwitch-Wizard-IP-DXS-Single-Access-IP-Gateway/ACR101AJust plug it in, plug in the network cable, and you are good to go. Easy to manage via a single web interface.
-
@PSX_Defector Wow...they aren't cheap! But I like what they can do!