I know this thread is aging a bit, but I thought I'd post some comments, and link to an article I just put online: http://www.msquared.id.au/articles/cryptroot/ The article is titled "Encrypted root on Fedora & CentOS", and shows you how to encrypt the entire hard drive. I'll address Windows in my comments below... On Mon, Dec 24, 2007 at 01:45:54PM -0600, Kerry Miller wrote: > My company is requiring us to encrypt the hard drive on all laptops. > We've already got some encryption software but it only works with Windows, > not anything set up to dual boot or anything running VMware. Pity, as you could use my article to install Fedora, then install Windows in a VMWare guest under the completely-encrypted Fedora. At the moment, my laptop is dual-boot Windows XP and Fedora 8. I've encrypted Linux according to the article above, and I'm using TrueCrypt under Windows to keep my documents safe. I don't use Windows much, though, so I don't mind that it may occasionally leak some data (since only the files I store in the encrypted volume are encrypted, not swap etc). Perhaps you could use a mix of the Windows encryption s/w you have, plus the technique listed in my article (as long as your Windows encryption s/w doesn't defeat dual-boot). On Tue, Dec 25, 2007 at 12:27:18PM -0500, Mail List wrote: > Knowing all I do today, I would avoid ancrypting root partition - it > adds little additional security (some yes) but can be problematic if you > run into problems (ie cant boot). True(ish). While you can encounter problems, I've discovered that System Rescue CD (eg: v0.4.1) contains LUKS-enabled cryptsetup, and thus can be used to recover a screwed system, as long as you can still remember the passphrase, etc. > Cant speak for F8 but encrypted root on F7 will not work until mkinitd > is updated Currently F8 does require patching, but my article includes patches for those brave enough to try it anyway. On Tue, Dec 25, 2007 at 11:35:15PM +0000, Alan Cox wrote: > It isn't just encryption - you'll also need key management. dmcrypt will > do the encryption side but I would assume your company is requiring key > escrow as US companies have legal duties to produce data if ordered to > by a court or similar authority, or to retrieve data if you vanish/fall > out. "Dave forgot to tell us the key" isn't considered a good defence > in court or to the IRS 8) My article shows how you can use LUKS' multiple-key capability to set up somewhat useful key management (see the section on using a USB key for some ideas). Regards, Msquared...
