-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2010-04-19 at 17:54 -0400, Greg Freemyer wrote:
On Mon, Apr 19, 2010 at 5:46 PM, Boris Epstein
wrote: Hello listmates,
If you were to get full disk encryption for your OpenSuSE (or other Linux) machine - what would you go for?
I have no idea what the question is, but ...
If FDE was available for my laptop, I would consider it.
But my laptop dual boots with XP, so I need to keep that and I suspect FDE would kill XP.
There is an interesting posibilty, that is hardware (or firmware) HD encription. Aparently many (all?) hard disks are capable of encripting in firmware, in a way transparent to the operating system. As it does not use the cpu (I think) it should also be faster than oS encription. It is mentioned in man hdparm: ATA Security Feature Set These switches are DANGEROUS to experiment with, and might not work with every kernel. USE AT YOUR OWN RISK. --security-help Display terse usage info for all of the --security-* flags. --security-freeze Freeze the drive´s security settings. The drive does not accept any security commands until next power-on reset. Use this function in combination with --secu‐ rity-unlock to protect drive from any attempt to set a new password. Can be used standalone, too. --security-unlock PWD Unlock the drive, using password PWD. Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch. THIS FEA‐ TURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-set-pass PWD Lock the drive, using password PWD (Set Password) (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch and the applicable security mode with the --security-mode switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-disable PWD Disable drive locking, using password PWD. Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-master switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-erase PWD Erase (locked) drive, using password PWD (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The applicable drive password is selected with the --user-mas‐ ter switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-erase-enhanced PWD Enhanced erase (locked) drive, using password PWD (DANGEROUS). Password is given as an ASCII string and is padded with NULs to reach 32 bytes. The appli‐ cable drive password is selected with the --user-master switch. THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --user-master USER Specifies which password (user/master) to select. Defaults to master. Only useful in combination with --security-unlock, --security-set-pass, --security-disable, --security-erase or --security-erase- enhanced. u user password m master password THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. --security-mode MODE Specifies which security mode (high/maxi‐ mum) to set. Defaults to high. Only useful in combination with --security- set-pass. h high security m maximum security THIS FEATURE IS EXPERIMENTAL AND NOT WELL TESTED. USE AT YOUR OWN RISK. Has anybody used this? I think that if this is enabled on a disk needed for booting, it has to be supported by the bios, to ask for the pasword. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkvM3dYACgkQtTMYHG2NR9WXUACglKElnp1aI/NPb2ER9RbMx3Gi pJsAn37KoY379zCcSfF5vU0Ll/Wdi4Mp =3kHn -----END PGP SIGNATURE-----