Disk/Partition encryption

Nifty Fedora Mitch niftyfedora at niftyegg.com
Tue Sep 22 18:49:17 UTC 2009 

On Fri, Sep 18, 2009 at 12:19:46PM -0500, Michael Cronenworth wrote:
> Weiner, Michael on 09/18/2009 12:03 PM wrote:
> >  Has anyone here done this? 
> 
> You can only use a FUSE-like encryption method on a live system. If you
> want to use dm-crypt/LUKS you have to reformat.
> 
> eCryptFS is one such option. You create a "Private" directory in your
> home and anything stored in there is encrypted.
> 

Get a backup disk, one that can be locked up, make a backup in a way
that you understand and can verify and then reinstall the laptop fully
encrypted.  Then move the data from the backup onto the now encrypted
laptop.

There is a move afoot  that if the laptop/ disk is full and well
encrypted then the organization might be exempt from reporting in a
public way the loss of a disk or laptop.  Also with a "well encrypted"
policy some related liability issues might look better to those that
have to insure the company.

Once the laptop is fully tested make an encrypted backup.  If you have
a super special certified safe in your office you may be able to keep the
backup in it and skip the encrypted backup but I would not, backup disks 
have legs.

In the context of a move to encryption the company does need a key repository policy.
They can make the decision that nothing on a laptop is important, the policy 
should map to backup strategies but that is another policy tangle.

A private directory or FUSE-like method does not "guarantee" that you did
not leave a copy of the sensitive data on another part of the system, so
encrypt the full disk.  It does however make sense if you have "personal"
data on the laptop.  An encrypted virtual file system for family photos,
personal mp3's whatever gives you a way to draw a line at some time
in the future when the laptop reverts to to the company.  You may not
be in a position to get it back but "they" are not in a position to look
and leer at photos of your wife and family, health insurance claims or
electronic pay stubs (think some random IT numnuts or contractor).

If this involves converting multiple laptops look at something faster than
USB or multiple backup boxes.


-- 
	T o m  M i t c h e l l 
	Found me a new hat, now what?

More information about the fedora-list mailing list