Full Disk Encryption - Xen, Windows and Linux?

Bofh To asks: "I'm in an industry that, more or less, requires full disk encryption, and to accomplish this, we use Pointsec on Windows. For the past 8 years, I've been running Linux on my work laptop, and this is the first time I'm running in a Windows only environment. I am interested in changing that, because I want to use Linux as my main platform, and only drop in to Windows when necessary (and use crossover if at all possible). I'm also interested in Xen, and would like to see if I can use that to virtualize Windows under Linux. My thought is that, as long as Pointsec is in dom0 and I use virtual disks for the Windows VM, I should be covered. The problem is that I'd also like a machine that is usable, as opposed to waiting endlessly as the virtual memory, virtual machine, pointsec, and xen all thrash around while I'm working on the machine. Has anyone used Pointsec for Linux, with Xen? "

Look at dm-crypt

[Cheeziologist]

I know you asked about people using pointsec with Linux, but have you considered using the device mapper to do hard disk encryption for you? On my laptop, I have the entire hd encrypted using aes and sha256, using the kernel's dm-crypt abilities and the cryptsetup program. To do this, you need to have a small partition to boot from that contains the kernel (and an initramfs if you don't build it into the kernel). From there you unencrypt the drive, pivot root, and continue booting. Additionally, if your intent is to run the virtual windows encrypted, you can use cryptsetup to manage the the device or files to keep the windows files on. There are many good tutorials on using dm-crypt, and can definitely tell you more than I can easily explain.

Re:Look at dm-crypt

[rjforster]

Not knowing the exact details of the requirement, but Pointsec is FULL disk encryption. This matters.

To the original poster:
I think this is one of those 'suck it and see' situations. Processors are getting faster all the time. Disks are getting faster too, especially solid state drives. So the trade offs between different performance areas are changing all the time. Eg today you might notice the crypto delays, tomorrow you might not because you essentially have a dedicated core doing disk crypto.

Last year I ran tests with Pointsec for a different situation and it was pretty good with a flash drive. Not _quite_ as good as a FDE competitor but not far off. This wasn't on a fancy new laptop with decent dual core processor either. For these tests I got a free eval copy of Pointsec. They were nice, helpful guys when I spoke with them, perhaps you could get an eval copy too.

Another alternative is a hardware solution such as Flagstone from Stonewood. Full hard drive speed and full OS compatibility.

Re:Look at dm-crypt

[swillden]

Not knowing the exact details of the requirement, but Pointsec is FULL disk encryption. This matters.

As is the proposed dm-crypt configuration. In both cases you have a small unencrypted boot section containing no sensitive data and everything else is encrypted.

The only difference from a security perspective is that you can't audit Pointsec.

Debian's new installer is spiffy

[deftcoder]

The latest version of Debian Stable, codenamed 'Etch', has the ability to set up a fully-encrypted system (except for /boot of course) right from the installer.

It's amazingly simple to use, and great for laptops. (I'm running it on my dual-core laptop)

Check it out: http://www.us.debian.org/CD/

gordon freeman approves...

[User+956]

I'm also interested in Xen, and would like to see if I can use that to virtualize Windows under Linux.

I'm not sure about that, but I'm sure Xen would be a great place to store backups to keep them from prying eyes. Who needs encryption when you have a low-gravity parallel dimension as a safe-deposit box?

Known plaintext attack on encryption

Is full disk encryption a good idea? With the operating system within the encrypted partition, it gives a LARGE amount known plaintext to mount an
attack.