Classification: UNCLASSIFIED I've used AES before. Came on a disk, popped it in, self started and asked me to supply a password (initial setup stuff), about 3 hours later I had an encryped hard disk. This was for my corp laptop though, I don't use it on my home Debian laptop. My current work desktop had encryption also that uses the CAC cert to encrypt. I don't know the name though as it is all managed from the ivory tower folks in the IT shop. It works well from the user standpoint right up to the point where your CAC cert expires. You then get a take your new CAC and a live chicken to our provisioners. There is a blood sacrifice and some internet wizard stuff that goes on then a guy/gal has to touch your desktop and type in the "magic text" in the (horror of horrors) command prompt (Yes martha it is winders vista). About an hour later your disk is encrypted with the new cert. What is the situation that is calling for a "data at rest" encryption solution? Bill SOF Imperative #8 Apply capabilities indirectly William Roosa MAJ, SF 703-268-8311 (cell) 703-545-1509 (w) william-roosa@xxxxxxxxxxx De Oppreso Liber ﺗﺤﺭﻴﺮ ﺁﻞ مضطهدﻴﻦ On 03/28/12, "C.J. Adams-Collier KF7BMP" <cjac@xxxxxxxxxxxxxxx> wrote: > Hey there Dale & List, > > I believe Ryan and Bill (CC'd) are using AES full disk crypto on their > systems. It seems complicated to me, but they can probably give you > tips. I think Bill is using Debian and Ryan is using Arch. Bill's > (DISA's) policies are pretty strict and probably require that his smart > card be inserted at boot time. Ryan's history administering the > intranet for a company in the medical field have set his bar probably > higher than DISA's in many ways, but may not require that the physical > token be inserted at boot. > > Cheers && 73, > > C.J. > > On Wed, 2012-03-28 at 13:17 +0100, Dale Amon wrote: > > Been away from the list for awhile and you went > > and moved the list on me! > > > > Yesterday I pulled out my notes from the last time > > I set up a crypto disk and found that basically, > > nothing worked. > > > > The losetup lists all the appropriate crypto types > > in its Man page but when I try to actually use AES256, > > it throws a fit. When I look in modules for the > > current kernel, I do not see a module for aes at all. > > > > I might also note that I was surprised to find the -k > > switch for specifying key size is gone. > > > > I tried downloading a package with aes in it, but it > > turns out to require local build. So... I tried that. > > > > I discovered that the module failed to declare kpkg > > as a prerequisite. I eventually figured that error out > > and selected it manually. > > > > And then I tried everything I could think of short of > > going 'all the way in': I tried module-assistant; I > > tried m-a; I tried the commands from the INSTALL file > > one at a time. All of them failed. > > > > This is just SOOooo 1999... aren't things supposed to > > get better with time? ;-) > > > > I would be happy to supply any information required > > or to run a few tests in between other work. Test > > server is an ancient (perhaps 2003) box with Ubuntu > > Oneiric, fully up to date. > > > > If I want to use something like this for a production > > environment, it has to be solid and update and work > > forever into the future. > > > > -- > > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Classification: UNCLASSIFIED -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html