Re: Hard drive encryption question for dual-boot XP and Fedora

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


I know this thread is aging a bit, but I thought I'd post some comments,
and link to an article I just put online:

The article is titled "Encrypted root on Fedora & CentOS", and shows you
how to encrypt the entire hard drive.  I'll address Windows in my comments

On Mon, Dec 24, 2007 at 01:45:54PM -0600, Kerry Miller wrote:

> My company is requiring us to encrypt the hard drive on all laptops. 
> We've already got some encryption software but it only works with Windows,
> not anything set up to dual boot or anything running VMware.

Pity, as you could use my article to install Fedora, then install Windows
in a VMWare guest under the completely-encrypted Fedora.

At the moment, my laptop is dual-boot Windows XP and Fedora 8.  I've
encrypted Linux according to the article above, and I'm using TrueCrypt
under Windows to keep my documents safe.  I don't use Windows much,
though, so I don't mind that it may occasionally leak some data (since
only the files I store in the encrypted volume are encrypted, not swap

Perhaps you could use a mix of the Windows encryption s/w you have, plus
the technique listed in my article (as long as your Windows encryption s/w
doesn't defeat dual-boot).

On Tue, Dec 25, 2007 at 12:27:18PM -0500, Mail List wrote:

> Knowing all I do today, I would avoid ancrypting root partition - it
> adds little additional security (some yes) but can be problematic if you
> run into  problems (ie cant boot).

True(ish).  While you can encounter problems, I've discovered that System
Rescue CD (eg: v0.4.1) contains LUKS-enabled cryptsetup, and thus can be
used to recover a screwed system, as long as you can still remember the
passphrase, etc.

> Cant speak for F8 but encrypted root on F7 will not work until mkinitd
> is updated

Currently F8 does require patching, but my article includes patches for
those brave enough to try it anyway.

On Tue, Dec 25, 2007 at 11:35:15PM +0000, Alan Cox wrote:

> It isn't just encryption - you'll also need key management. dmcrypt will
> do the encryption side but I would assume your company is requiring key
> escrow as US companies have legal duties to produce data if ordered to
> by a court or similar authority, or to retrieve data if you vanish/fall
> out.  "Dave forgot to tell us the key" isn't considered a good defence
> in court or to the IRS 8)

My article shows how you can use LUKS' multiple-key capability to set up
somewhat useful key management (see the section on using a USB key for
some ideas).

Regards, Msquared...

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux