When my eldest son was a freshman in college last year, I sent along a Linux laptop that was non-brand, old and somewhat beat up. As a precaution against loss of sensitive information in the unlikely event that it was stolen, sensitive information was in encrypted tarballs.
I have since become a fan of mandatory access controls rather than discretionary access controls, and I decided to encrypt /home and the swap partition for his new (again non-brand, but a mid range machine manufactured by ASUS, with a 3D video chip) laptop he is taking to school this year. I was expecting it to be a something of an expert friendly process, but I found it to be surprisingly easy, and it just took a couple of hours (the biggest chunk of which was backing up /home and restoring it) to configure a laptop, which, if stolen, will require the expertise of an organization like the National Security Agency to extract the information.* Now, when the computer boots, /home requires a password to be entered before it can be mounted. An encrypted swap partition is recreated each time with a fresh key from /dev/urandom. It was so straightforward that I have decided to use the same technique for all my machines - work laptop, home laptops, and home PCs. Linux has a module (dm_crypt) that allows a mapped virtual device to be created. Access to the virtual device goes through a layer of encryption/decryption and then goes to the physical device. The mapped device can be mounted when the key is entered. Although the physical device can be accessed by someone stealing the laptop, it contains an encrypted file system whose files are not easily accessed without the key. This technique can be easily used for VistA on Linux in lieu of encrypted databases. Since it is a straight through layer, rather than one with caching, we don't have to worry about losing buffers in the event of a crash. -- Bhaskar * Had I been concerned about the NSA stealing his laptop, I would have written pseudo random data from /dev/urandom or /dev/random onto the physical partitions before restoring the contents. But this would have taken several hours, and I felt that a casual thief was more of a concern than the NSA. Yahoo! Groups Links <*> To visit your group on the web, go to: http://groups.yahoo.com/group/openhealth/ <*> Your email settings: Individual Email | Traditional <*> To change settings online go to: http://groups.yahoo.com/group/openhealth/join (Yahoo! ID required) <*> To change settings via email: mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] <*> To unsubscribe from this group, send an email to: [EMAIL PROTECTED] <*> Your use of Yahoo! Groups is subject to: http://docs.yahoo.com/info/terms/