Re: /boot accessible in plaintext using encrypted LVM



"Markus R." Keßler wrote:

Am Sat, 05 Nov 2011 15:09:04 +0000 schrieb Günther Schwarz:

"Markus R." Keßler wrote:

Is it really impossible at all to set up whole disk encryption in the
way Pointsec does, where there's only one partition with the
en-/decrypter at the beginning?

On any Linux system you will have to boot the kernel at some point. Any
solution that does an encryption of the whole disk will have to decrypt
the kernel and the boot loader first. The most simple way of doing so
is to use a hard disk with encryption on the hardware level.

Seagate sells a solution called "self encrypting drive", which does en-/
decrypting data by itself.

It seems to work fine, but the user has to be asked for the password,
and afterwards it has to be passed to the controller on the HD.

This prerequisits being supported by the BIOS of the box, and the
"hardware compatibility list" showing the manufacturers and their
notebooks which are compatible to these disks on Seagate's webpage is
only a few entries long...

Did you have a look at the Hitachi drives also? These - and probably
Seagate's as well - follow TGC standards for the BIOS interface to the
drive. As far as I understand any BIOS that offers setting a password for
access to the drive should do the trick.

In most cases you will have to purchase a new box for this.

I have to admit that I do not have experience with built-in and self-
encrypting drives. But any notebook with Intel's vPro sticker should
work. On consumer hardware one has to live with OS-based solutions like
LUKS (slow and without protection for the boot loader and kernel) or self-
encrypting external drives like the Thinkpad Secure Drive (also slow
unless it is the expensive model with eSATA connector).

Günther
.