Re: Hard drive encryption question for dual-boot XP and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I know this thread is aging a bit, but I thought I'd post some comments,
and link to an article I just put online:

  http://www.msquared.id.au/articles/cryptroot/

The article is titled "Encrypted root on Fedora & CentOS", and shows you
how to encrypt the entire hard drive.  I'll address Windows in my comments
below...



On Mon, Dec 24, 2007 at 01:45:54PM -0600, Kerry Miller wrote:

> My company is requiring us to encrypt the hard drive on all laptops. 
> We've already got some encryption software but it only works with Windows,
> not anything set up to dual boot or anything running VMware.

Pity, as you could use my article to install Fedora, then install Windows
in a VMWare guest under the completely-encrypted Fedora.

At the moment, my laptop is dual-boot Windows XP and Fedora 8.  I've
encrypted Linux according to the article above, and I'm using TrueCrypt
under Windows to keep my documents safe.  I don't use Windows much,
though, so I don't mind that it may occasionally leak some data (since
only the files I store in the encrypted volume are encrypted, not swap
etc).

Perhaps you could use a mix of the Windows encryption s/w you have, plus
the technique listed in my article (as long as your Windows encryption s/w
doesn't defeat dual-boot).


On Tue, Dec 25, 2007 at 12:27:18PM -0500, Mail List wrote:

> Knowing all I do today, I would avoid ancrypting root partition - it
> adds little additional security (some yes) but can be problematic if you
> run into  problems (ie cant boot).

True(ish).  While you can encounter problems, I've discovered that System
Rescue CD (eg: v0.4.1) contains LUKS-enabled cryptsetup, and thus can be
used to recover a screwed system, as long as you can still remember the
passphrase, etc.

> Cant speak for F8 but encrypted root on F7 will not work until mkinitd
> is updated

Currently F8 does require patching, but my article includes patches for
those brave enough to try it anyway.


On Tue, Dec 25, 2007 at 11:35:15PM +0000, Alan Cox wrote:

> It isn't just encryption - you'll also need key management. dmcrypt will
> do the encryption side but I would assume your company is requiring key
> escrow as US companies have legal duties to produce data if ordered to
> by a court or similar authority, or to retrieve data if you vanish/fall
> out.  "Dave forgot to tell us the key" isn't considered a good defence
> in court or to the IRS 8)

My article shows how you can use LUKS' multiple-key capability to set up
somewhat useful key management (see the section on using a USB key for
some ideas).


Regards, Msquared...

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux