Slashdot Mirror

← Back to Stories (view on slashdot.org)

Full Disk Encryption - Xen, Windows and Linux?

Posted by Cliff on from the protecting-your-data-across-various-OSes dept.

Bofh To asks: "I'm in an industry that, more or less, requires full disk encryption, and to accomplish this, we use Pointsec on Windows. For the past 8 years, I've been running Linux on my work laptop, and this is the first time I'm running in a Windows only environment. I am interested in changing that, because I want to use Linux as my main platform, and only drop in to Windows when necessary (and use crossover if at all possible). I'm also interested in Xen, and would like to see if I can use that to virtualize Windows under Linux. My thought is that, as long as Pointsec is in dom0 and I use virtual disks for the Windows VM, I should be covered. The problem is that I'd also like a machine that is usable, as opposed to waiting endlessly as the virtual memory, virtual machine, pointsec, and xen all thrash around while I'm working on the machine. Has anyone used Pointsec for Linux, with Xen? "

15 of 49 comments (clear)

  1. Look at dm-crypt by Cheeziologist · · Score: 4, Informative

    I know you asked about people using pointsec with Linux, but have you considered using the device mapper to do hard disk encryption for you? On my laptop, I have the entire hd encrypted using aes and sha256, using the kernel's dm-crypt abilities and the cryptsetup program. To do this, you need to have a small partition to boot from that contains the kernel (and an initramfs if you don't build it into the kernel). From there you unencrypt the drive, pivot root, and continue booting. Additionally, if your intent is to run the virtual windows encrypted, you can use cryptsetup to manage the the device or files to keep the windows files on. There are many good tutorials on using dm-crypt, and can definitely tell you more than I can easily explain.

    1. Re:Look at dm-crypt by phrasebook · · Score: 2, Interesting

      How's the performance of dm-crypt for you?

      I use it on my swap and /home partitions on my laptop, but when doing heavy writing to the disk, the whole machine locks up for 1 or 2 seconds at a time - no mouse movement, no sound, no cursor - then it resumes. These freezes occur every 10 seconds or so as data gets flushed out to the disk.

      Normal reading/writing load is ok, but doing something like an rsync backup kills responsiveness.

      It seems to get a bit better if I renice kcryptd and kjournald. Any experience with this yourself?

    2. Re:Look at dm-crypt by rjforster · · Score: 4, Informative

      Not knowing the exact details of the requirement, but Pointsec is FULL disk encryption. This matters.

      To the original poster:
      I think this is one of those 'suck it and see' situations. Processors are getting faster all the time. Disks are getting faster too, especially solid state drives. So the trade offs between different performance areas are changing all the time. Eg today you might notice the crypto delays, tomorrow you might not because you essentially have a dedicated core doing disk crypto.

      Last year I ran tests with Pointsec for a different situation and it was pretty good with a flash drive. Not _quite_ as good as a FDE competitor but not far off. This wasn't on a fancy new laptop with decent dual core processor either. For these tests I got a free eval copy of Pointsec. They were nice, helpful guys when I spoke with them, perhaps you could get an eval copy too.

      Another alternative is a hardware solution such as Flagstone from Stonewood. Full hard drive speed and full OS compatibility.

    3. Re:Look at dm-crypt by Jah-Wren+Ryel · · Score: 2, Informative

      I use it on my swap and /home partitions on my laptop, but when doing heavy writing to the disk, the whole machine locks up for 1 or 2 seconds at a time - no mouse movement, no sound, no cursor - then it resumes. These freezes occur every 10 seconds or so as data gets flushed out to the disk.
      From the dm-crypt faq:
      Q: My system hangs for some time in regular intervals when writing to encrypted disks.
      A: You are probably using Linux 2.6.4. Du to the introduction of kthread pdflush is running at nice level -10, which means that the kernels treats dm-crypt writes as a real time task and doesn't allow scheduling.
      Solution: Switch to 2.6.5 or later or renice pdflush manually.

      --
      When information is power, privacy is freedom.
    4. Re:Look at dm-crypt by swillden · · Score: 4, Informative

      Not knowing the exact details of the requirement, but Pointsec is FULL disk encryption. This matters.

      As is the proposed dm-crypt configuration. In both cases you have a small unencrypted boot section containing no sensitive data and everything else is encrypted.

      The only difference from a security perspective is that you can't audit Pointsec.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re:Look at dm-crypt by mangu · · Score: 2, Informative

      This "plain text" partition isn't text at all, it's just a set of routines to load enough decryption software into the system to use the rest of the disk. There's no sensitive data there because it's all public software anyhow.

    6. Re:Look at dm-crypt by swillden · · Score: 2, Interesting

      With Pointsec only the MBR plus a couple of other sectors are unencrypted. There is no small partition in plain text which is what I understand dm-crypt to be. Please correct me if I'm wrong.

      You're correct, but the difference is irrelevant: it doesn't matter if it's a few KB or a few MB that is unencrypted, the key is that all of the functional system and its data is encrypted, including all swap.

      Actually, dm-crypt and Linux can do one thing that Pointsec, AFAIK, does not do, which is to take advantage of a TPM-enabled machine. Given a TPM, TPM-enabled BIOS, TPM-enabled GRUB and Linux kernel, you can bind a portion of the master decryption key to the boot state, ensuring that any attempt to modify the unencrypted portions of the data will simply render the system unbootable. I could have overlooked the TPM support in Pointsec, of course. Please correct me if I did.

      Not to mention the fact that for the really paranoid an OSS solution offers auditability that no closed-source solution can match.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  2. looking forward to replies on this one by Cybersonic · · Score: 2, Interesting

    I have not tried out Pointsec yet, but its a solution my company sells so I should learn it :) I certified myself in PGP, which unfortunately does not support full disk encryption on Linux, just Windows and soon OSX... It also does not support dual boot on Windows. (its a shim into ntloader - but after the actual boot loader the 'pgp' os which asks for the decryption key during boot is linux, so I KNOW they have linux expertise...)

    I kind of like the roll your own approach to the Linux full disk encryption scenario, but most large organizations balk at anything thats not a commercial solution

    --
    Cybie! aka Ralph Bonnell
  3. Debian's new installer is spiffy by deftcoder · · Score: 4, Informative

    The latest version of Debian Stable, codenamed 'Etch', has the ability to set up a fully-encrypted system (except for /boot of course) right from the installer.

    It's amazingly simple to use, and great for laptops. (I'm running it on my dual-core laptop)

    Check it out: http://www.us.debian.org/CD/

    --
    Peace sells, but who's buying?
    1. Re:Debian's new installer is spiffy by kestasjk · · Score: 2, Interesting
      I thought I covered this when I said

      if it gets it from somewhere else but it is read by the kernel in /boot that's also no good because the kernel could be replaced. If you're protecting against theft having an unencrypted kernel read the password is fine. But if you're protecting against theft why both with full disk encryption; why not just encrypt specific files or use a virtual encrypted drive like TrueCrypt?

      The main reason for full disk encryption instead of alternatives is that it makes it impossible to modify any part of the operating system while the machine is offline; so you can have a system running in an insecure environment, and no-one can power it off and steal your hashes or change things around because everything on the disk is encrypted.

      Now if the machine can be powered off and the kernel can be modified it can be modified to save the password you entered, or simply rootkitted. If you're going to allow that why not just encrypt the specific files/directories you want to protect?

      If you keep the kernel separate (eg on a CD or thumbdrive that you keep with you), and you actually mean full disk encryption when you say full disk encryption, an attacker would have to modify the hardware in the machine. If it was a desktop machine they might add a keylogger, or if it was a server they might replace the BIOS, but it would have to be a more determined and experienced attacker than someone simply swapping out your HDD and modifying your kernel.
      --
      // MD_Update(&m,buf,j);
  4. These questions always make me smile... by Anonymous Coward · · Score: 2, Insightful

    I always find these types of "Ask Slashdot" amusing. People ask about what security product to use in their enterprise, how it will work with Linux etc etc. All perfectly valid questions, but utterly pointless in a corporate context because guess what? It's the Information Security Policy (& CISO) which will dictate who can and can't authorise new encryption products, changes to production environments, installation of non-standard baseline software (and the list goes on & on). If the OP really does work in an industry where disk encryption is needed (I'm going to take a wild stab in the dark and say s/he's probably in healthcare where HIPPA is concerned, maybe within a financial environment for GLBA/SOX, but even then it's a complex minefield of compensating controls and regulations which don't actually *require* encryption), then s/he should be consulting the Information Security Officer for advice, not asking Slashdot and lining themselves up for being fired for breaching policy.

    1. Re:These questions always make me smile... by hey! · · Score: 2, Insightful

      Probably a large one.

      If you're talking a thousand or so employees or less, you have about a dozen or so IT guys, so you head over to where they take lunch and you shoot the shit with them, and they can probably agree it would be cool to look at solution X on Linux.

      If you're talking an outfit with a thousand or so IT guys, then the answers are likely to be preprogrammed unless you can get to somebody high enough. Even then they're going to be more interested in keeping their headaches minimized than making a single user happy.

      --
      Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
  5. gordon freeman approves... by User+956 · · Score: 4, Funny

    I'm also interested in Xen, and would like to see if I can use that to virtualize Windows under Linux.

    I'm not sure about that, but I'm sure Xen would be a great place to store backups to keep them from prying eyes. Who needs encryption when you have a low-gravity parallel dimension as a safe-deposit box?

    --
    The theory of relativity doesn't work right in Arkansas.
  6. Have you considered Pointsec on Linux? by swillden · · Score: 2, Informative

    They have a Linux version. Then your virtualized Windows image will also be encrypted. BTW, for virtualizing Windows, I'd recommend you get a copy of VMWare, rather than using Xen. The open source virtualization tools are coming along, but at this point in time VMWare will perform much better.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  7. Known plaintext attack on encryption by Anonymous Coward · · Score: 3, Interesting

    Is full disk encryption a good idea? With the operating system within the encrypted partition, it gives a LARGE amount known plaintext to mount an
    attack.