On Mon, 24 Jan 2011, Thomas Nguyen Van wrote: > Our company needs to encrypt hard drives on our machines running under Linux > Debian Lenny.
If you're serious about this, get a real server (HP, IBM, Dell...) with proper TPM hardware and Linux support. Then, you'll need to do the (not that easy) work of sealing large ecryptfs keys using the TPM, probably storing them it on internal solid-state memory (all these servers have internal slots for either SD or USB solid-state devices). You will also want to use trusted-grub, and IMA to make sure you're booting what you should be booting. Otherwise, someone could just trojan-horse the bootstrap and ferry out the keys when they're unsealed. This is not something Debian suports out-of-the-box, you will have a lot of homework to do. But it will be secure. It is possible that some vendors already have TPM-based support for FDE. That would be less safe than the above, but it would work out-of-the-box. The only problem is that you'd have to actually trust the FDE implementation to not be crap. Embedded device firmware engineers are, as a rule, used to nobody outside their small division actually being able to see whatever crap they're embedding, and to get away with pretty much anything INCLUDING patent and license violations. You'd have to be an idiot to trust their code without further proof. If the keys are stored _anywhere_ by the HD firmware, the whole thing would be just snake-oil junk. It would _not_ be the first time a HD vendor pulled such a trick (the ATA password-based security feature is quite worthless on a lot of disks out there). -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110124154419.gb6...@khazad-dum.debian.net
