Re: Question related to FDE (Full Disk Encryption) solution under Linux Debian Lenny
On Mon, 24 Jan 2011, Thomas Nguyen Van wrote:
> Our company needs to encrypt hard drives on our machines running under Linux Debian Lenny.
If you're serious about this, get a real server (HP, IBM, Dell...) with
proper TPM hardware and Linux support.
Then, you'll need to do the (not that easy) work of sealing large ecryptfs
keys using the TPM, probably storing them it on internal solid-state memory
(all these servers have internal slots for either SD or USB solid-state
devices).
You will also want to use trusted-grub, and IMA to make sure you're booting
what you should be booting. Otherwise, someone could just trojan-horse the
bootstrap and ferry out the keys when they're unsealed.
This is not something Debian suports out-of-the-box, you will have a lot of
homework to do. But it will be secure.
It is possible that some vendors already have TPM-based support for FDE.
That would be less safe than the above, but it would work out-of-the-box.
The only problem is that you'd have to actually trust the FDE implementation
to not be crap. Embedded device firmware engineers are, as a rule, used to
nobody outside their small division actually being able to see whatever crap
they're embedding, and to get away with pretty much anything INCLUDING
patent and license violations. You'd have to be an idiot to trust their
code without further proof. If the keys are stored _anywhere_ by the HD
firmware, the whole thing would be just snake-oil junk. It would _not_ be
the first time a HD vendor pulled such a trick (the ATA password-based
security feature is quite worthless on a lot of disks out there).
--
"One disk to rule them all, One disk to find them. One disk to bring
them all and in the darkness grind them. In the Land of Redmond
where the shadows lie." -- The Silicon Valley Tarot
Henrique Holschuh
Reply to: