Re: Whole disk encryption

Thanks everyone for your responses!

I agree with the virtual partition instead of whole-disk. It is my understanding that in the virtual partition, the files will remain encrypted until you open them, thus also protecting them from the network. Whole-disk will decrypt everything after you enter the password on boot-up.


At 10:35 PM 8/24/2006, you wrote:
Hi Sarah,
hi group,

as a security auditor and consultant I normally suggest
(1) to implement as many security as available, but no more security than really needed.
The need should follow an individual risk classification to all IT assets / data of a company.

It doesn't make sense to encrypt a folder/partition with none critical data on it.
But it really makes sense to encrypt folders/partitions of sensitive data (e.g. internal strategics/business plans, internal financial statements, company secrets, ...).

Everytime you encrypt / decrypt a file, folder or partition you will have
- file access to the harddisk,
- processor load,
- memory access
- ...
This influences the performance of each system. On some systems more significant than on others.

So on company wide file servers, an encrypted partition should exist, there people have to store their classified files aligned to their given rights and according the company security policy / risk classification.
On mobile devices people should have an encrypted directory or partition, which is access-protected by password or comparable methods and can be mounted (dismounted), when needed (not needed) and there they have to store their classified files according the company security policy / risk classification.

This strategy follows the given suggestion (1).

Ok. When influenced by real great paranoia, a company also can create a policy, that all HDD need to be encryted. But this is part of the same category, like prohibiting the connection of any hardware to any network. ;-)


>Sarah wrote:
>What is the consensus of the group on the use of whole disk encryption in an enterprise environment? >------------------------------------------------------------ ---------------

Sarah Felske
Server Administrator
Information Technology Service
Bowling Green State University


Relevant Pages

  • Re: Encrypting Linux partitions
    ... On a new Linux install of SuSE 10.0 x86_64 machine, ... partition as I intend to mkswap a file in the root partition. ... When I try to encrypt the root partition, ... The only things which need to be unencrypted are the boot loader, ...
  • Re: start existing process in memory
    ... TrueCrypt, from memory again. ... I use it to encrypt data on my USB ... TrueCrypt.exe reside on the open partition so it is possible for ... If that is not the case, I would have the second script find the executable by looking wherever it might be located (as someone already suggested. ...
    ... Never run encryption on swap. ... MUST encrypt swap in order for your system to be secure; ... Each disk has an boot ... partition, a swap partition, and a big remaining partition. ...
    ... I have a few laptops which I encrypt for work ... Create one partition on the RAID ... format md1 as an LVM physical volume + plumb it into ...
  • Re: OS and file system encryption
    ... dmcrypt, which allows you to encrypt everything, even your root and swap ... and an external usb drive); the only unencrypted partition is a ... installation of the system. ... the encrypted devices and copied the root filesystem over, ...