FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-28-2007, 04:13 PM
"Alan"
 
Default Hard drive encryption question for dual-boot XP and Fedora

> John Summerfield wrote:
>> Tim wrote:
>>> On Fri, 2007-12-28 at 08:05 +0900, John Summerfield wrote:
>>>> I would not defy The Boss, but if he agrees Linux is good for its
>>>> diagnostic tools, then the question becomes "How do we do this?" and a
>>>> USB disk that's encrypted and doesn't carry sensitive data, or even a
>>>> CD/DVD might be part of the answer.
>>>
>>> Surely you'd only need to encrypt that which needs protecting. Network
>>> diagnosis tools don't sound like something that needs it. And if
>>> you're
>>> sensible enough to use different passwords, then someone finding out
>>> your logon credentials from an unprotected diagnosis partition can't
>>> use
>>> them to logon to the other protected one.
>>>
>>
>> I would not be surprised if the corporate policy is to encrypt
>> everything. That way, there can be no nasty surprises if, accidentally
>> or by carelessness, sensitive data gets stored on the "network
>> diagnostics toolset."
>>
>> For example, the results of running tcpdump or wireshark. Simply erasing
>> the files isn't enough, the space they occupied needs to be overwritten
>> too.
>>
>> A likely sanction for defying such a policy is an invitation to seek
>> employment elsewhere.
>
> Can't you just boot from a CD when you need to do network diagnostics?
> Knoppix has about everything you would be likely to need.

Full drive encryption is a feature being worked on for the next version of
Fedora. Looks promising. Has a few minor bugs to work out before being
"user ready". (Does not seem to work with upgrades quite yet, just clean
installs. I expect that to be fixed pretty quick now.)

Now if they would just build a x86_64 version of the Rawhide respin, i
could test it here...

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-28-2007, 08:59 PM
John Summerfield
 
Default Hard drive encryption question for dual-boot XP and Fedora

Les Mikesell wrote:



Can't you just boot from a CD when you need to do network diagnostics?
Knoppix has about everything you would be likely to need.


usually, but not always[1]. And sometimes one needs to save some data.
And don't use optical rw media.



For most, all this is way more than's necessary. However, if your
datacentre has armed-guard security at the door, then expect a higher
level of care inside too.



I have a near new HP DC7700p SFF desktop. Designed for corporates. No
optical drive or floppy or card reader, though all are options. A
daughter works for a gov't department (not one that deals in money); USB
drivers are forbidden. Another works for an insurance company; I've not
asked, but I figure security would be pretty tight there.


Trust employees as much as you must, but no more.


--

Cheers
John

-- spambait
1aaaaaaa@coco.merseine.nu Z1aaaaaaa@coco.merseine.nu
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-28-2007, 09:51 PM
Les Mikesell
 
Default Hard drive encryption question for dual-boot XP and Fedora

John Summerfield wrote:

Les Mikesell wrote:



Can't you just boot from a CD when you need to do network diagnostics?
Knoppix has about everything you would be likely to need.


usually, but not always[1]. And sometimes one needs to save some data.
And don't use optical rw media.



For most, all this is way more than's necessary. However, if your
datacentre has armed-guard security at the door, then expect a higher
level of care inside too.



I have a near new HP DC7700p SFF desktop. Designed for corporates. No
optical drive or floppy or card reader, though all are options. A
daughter works for a gov't department (not one that deals in money); USB
drivers are forbidden. Another works for an insurance company; I've not
asked, but I figure security would be pretty tight there.


Trust employees as much as you must, but no more.


In that sort of environment I'd expect someone to have dedicated
sniffers and not rely on some free stuff on someone's laptop for network
diagnostics, although wireshark is pretty good - but it runs on windows
anyway.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-02-2008, 04:48 PM
Robin Laing
 
Default Hard drive encryption question for dual-boot XP and Fedora

Alan wrote:


Full drive encryption is a feature being worked on for the next version of
Fedora. Looks promising. Has a few minor bugs to work out before being
"user ready". (Does not seem to work with upgrades quite yet, just clean
installs. I expect that to be fixed pretty quick now.)

Now if they would just build a x86_64 version of the Rawhide respin, i
could test it here...



This is great to hear.

--
Robin Laing

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-10-2008, 01:49 PM
Msquared
 
Default Hard drive encryption question for dual-boot XP and Fedora

I know this thread is aging a bit, but I thought I'd post some comments,
and link to an article I just put online:

http://www.msquared.id.au/articles/cryptroot/

The article is titled "Encrypted root on Fedora & CentOS", and shows you
how to encrypt the entire hard drive. I'll address Windows in my comments
below...



On Mon, Dec 24, 2007 at 01:45:54PM -0600, Kerry Miller wrote:

> My company is requiring us to encrypt the hard drive on all laptops.
> We've already got some encryption software but it only works with Windows,
> not anything set up to dual boot or anything running VMware.

Pity, as you could use my article to install Fedora, then install Windows
in a VMWare guest under the completely-encrypted Fedora.

At the moment, my laptop is dual-boot Windows XP and Fedora 8. I've
encrypted Linux according to the article above, and I'm using TrueCrypt
under Windows to keep my documents safe. I don't use Windows much,
though, so I don't mind that it may occasionally leak some data (since
only the files I store in the encrypted volume are encrypted, not swap
etc).

Perhaps you could use a mix of the Windows encryption s/w you have, plus
the technique listed in my article (as long as your Windows encryption s/w
doesn't defeat dual-boot).


On Tue, Dec 25, 2007 at 12:27:18PM -0500, Mail List wrote:

> Knowing all I do today, I would avoid ancrypting root partition - it
> adds little additional security (some yes) but can be problematic if you
> run into problems (ie cant boot).

True(ish). While you can encounter problems, I've discovered that System
Rescue CD (eg: v0.4.1) contains LUKS-enabled cryptsetup, and thus can be
used to recover a screwed system, as long as you can still remember the
passphrase, etc.

> Cant speak for F8 but encrypted root on F7 will not work until mkinitd
> is updated

Currently F8 does require patching, but my article includes patches for
those brave enough to try it anyway.


On Tue, Dec 25, 2007 at 11:35:15PM +0000, Alan Cox wrote:

> It isn't just encryption - you'll also need key management. dmcrypt will
> do the encryption side but I would assume your company is requiring key
> escrow as US companies have legal duties to produce data if ordered to
> by a court or similar authority, or to retrieve data if you vanish/fall
> out. "Dave forgot to tell us the key" isn't considered a good defence
> in court or to the IRS 8)

My article shows how you can use LUKS' multiple-key capability to set up
somewhat useful key management (see the section on using a USB key for
some ideas).


Regards, Msquared...

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-10-2008, 02:00 PM
"Robert P. J. Day"
 
Default Hard drive encryption question for dual-boot XP and Fedora

On Thu, 10 Jan 2008, Msquared wrote:
...
> True(ish). While you can encounter problems, I've discovered that System
> Rescue CD (eg: v0.4.1) contains LUKS-enabled cryptsetup, and thus can be
> used to recover a screwed system, as long as you can still remember the
> passphrase, etc.

just being pedantic, but there is a version 0.4.2 of that CD:

http://www.sysresccd.org/Download

no idea what the enhancements might be.

rday
--
================================================== ======================
Robert P. J. Day
Linux Consulting, Training and Annoying Kernel Pedantry
Waterloo, Ontario, CANADA

Home page: http://crashcourse.ca
Fedora Cookbook: http://crashcourse.ca/wiki/index.php/Fedora_Cookbook
================================================== ======================

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 01-10-2008, 02:05 PM
Msquared
 
Default Hard drive encryption question for dual-boot XP and Fedora

On Thu, Jan 10, 2008 at 10:00:20AM -0500, Robert P. J. Day wrote:

> just being pedantic, but there is a version 0.4.2 of that CD:
>
> http://www.sysresccd.org/Download

I just used 0.4.1 as an example because I have a copy sitting within
reach (mostly because I used it while writing my article). I'm not sure
how far back LUKS support goes on that disc, though I will download the
latest now that I know it's there. Thanks for the tip.

Regards, Msquared...

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 02:01 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org