Hello. The question with the regulators is always whether or not "Whole Disk Encryption" does also include the MBR and the service partitions. In order to avoid any problem I would put anything required to boot the system on a removable device, to be unplugged when the system is off.(+bios with password, boot only from the external device, etc etc etc) So that "Whole Disk Encryption" is indisputably true with the systems shut-down. And also use only encrypted partitions (with or without LVM) as suggested. Marco Il 10. 06. 15 19:19, Lew Wolfgang ha scritto:
On 06/10/2015 09:51 AM, Andrei Borzenkov wrote:
В Wed, 10 Jun 2015 09:24:57 -0700 Lew Wolfgang
пишет: Hi Folks,
The IA Overlords are rattling their sabres again and are demanding that Whole Disk Encryption be applied to all systems to protect data while its "resting". Basically, if a system is off, all data on non-volatile memory devices has to be encrypted. A TPM can be used for authentication once power is supplied, or the system could prompt for a password before booting.
Would openSuSE, or anything else for that matter, support this kind of a thing? I think TrueCrypt came close, but how would it handle multiple 70-TB partitions?
Yes, creating LVM on top of encrypted partition should work. Downside is that you will need to enter password at least twice - for bootloader to unlock /boot and kernel to unlock / (even if they are on the same filesystem).
Thanks Andrei. Would this work with RAID-6 partitions too?
Would there be any way to have a TPM (Trusted Platform Module) provide the passwords? I think this is how Windows does it in some environments.
Regards, Lew
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org