Encryption is one of those things that people consider as overkill until they have a problem that could have been prevented easily.
Let's take a practical example. A few months ago, Marie's mother had a hardware problem on her computer. I was there so I had a quick look and reckoned the motherboard was playing funny games. The computer had been bought from a computer shop and was stil.l under its first year warranty. We took the PV to the shop, explained the problem to the gadgie there and left after being told to come back in a few days. We went back (our) home and marie logged on to MSN .... her mother's account was on-line. In other words, the gadgie had connected the PC to the internet, the password was blank, and auto-connect settings on Messenger logged her account on when HE logged on.
Of course there are several problems here. blank password and auto-login are the obvious ones, along with the gadgie's idea of connecting the PC to their internal LAN. But because we gave physical access to the hardware, a login password would not have been a bigger hurdle to bypass for Joe Gadgie.
What are the solutions, we had to give him the PC for maintenance, we couldn't take out the hard-drive out really bacause he was not sure where the problem was, even though I told him. And still we don't trust this guy with our data.
What I want is the ability to provide physical access to somebody for maintenance . The solution is to encrypt the sensitive disks. I will also not have to worry when
one my disks gets a bit shaky, and be able to just throw it away or give it back to the shop for replacement without worrying about the data on it..
Several tools will encrypt disk or portion of disks under Linux, but the upcoming standard seems to be
Linux Unified Key Setup. It is the product of a
sole man who also ported the dm-crypt API to the Linux 2.6 kernel.
The archlinux wiki has a page for setting dm-crypt with luks and I found it very useful in order to get familiar with the technology. Its main limit is really that it didn't yet explain how to use keyfiles with LUKS. LUKS
official wiki was very clear and the main job was really to organise the data in order to empty the first disk. I went a bit crazy on the key size at the beginning with 2MB key. I was surprised when I couldn't luksFormat a 200 GB hard drive with this key while I could with a 2KB key.
I am now all set with a total of 460GB encrypted with luks on my workstation. I have to admit that I since then notice a slight decrease in performance. It still doesn't compare with what I was expecting and is definitely worth a try.
