On Mon, 2010-04-19 at 17:46 -0400, Boris Epstein wrote:
Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
Boris.
What do you mean by "full disk" ? If you mean the usual mount points, just use 11.2 with luks. You can encrypt everything, _except_ /boot. (and boot sectors, partition table ofcourse).*** If still using m$, use truecrypt for those partitions. otoh if you want to encrypt every single disk-sector, you need one of those most recent drives, that do hw-encryption on the drive instead of the system. (btw, i've never seen them...) Both have their pro's and con's Doing encryption by the system, means that it takes cpu-cycles, but you are not stuck with one particular type of hdd. Furthermore one could do a blind dd from one disk to another, for a raw security backup. *** i was told that even that limitation can be circumvent with linux-bios and grub2, How secure do you want to be? And remember real strong [two, three factor] authentication (with either tpm, smartcards, tokens and limited attempts) are a blessing and a curse: You are "safer" as long as you don't lose the pin or ar struck by hw-failure. If a key is lost, it's lost forever, and so will your data. And finally, what do you try to obtain? Data-lock-out after theft? Perhaps FDE is an overkill, as what is so secret about the system config? If for other reasons, FDE might not even be enough: after a succesful boot from an encrypted drive, _all_ is open. And you even might consider multi-level encryption scheme's: -drive -specific mountpoints (seperate mountpoint for each home-directory) that gets mounted while logged-in, or while a specific application runs -file encryption. How paranoid do you want to get? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org