When my eldest son was a freshman in college last year, I sent along a
Linux laptop that was non-brand, old and somewhat beat up. As a
precaution against loss of sensitive information in the unlikely event
that it was stolen, sensitive information was in encrypted tarballs.
I have since become a fan of mandatory access controls rather than
discretionary access controls, and I decided to encrypt /home and the
swap partition for his new (again non-brand, but a mid range machine
manufactured by ASUS, with a 3D video chip) laptop he is taking to
school this year. I was expecting it to be a something of an expert
friendly process, but I found it to be surprisingly easy, and it just
took a couple of hours (the biggest chunk of which was backing up /home
and restoring it) to configure a laptop, which, if stolen, will require
the expertise of an organization like the National Security Agency to
extract the information.*
Now, when the computer boots, /home requires a password to be entered
before it can be mounted. An encrypted swap partition is recreated each
time with a fresh key from /dev/urandom.
It was so straightforward that I have decided to use the same technique
for all my machines - work laptop, home laptops, and home PCs. Linux
has a module (dm_crypt) that allows a mapped virtual device to be
created. Access to the virtual device goes through a layer of
encryption/decryption and then goes to the physical device. The mapped
device can be mounted when the key is entered. Although the physical
device can be accessed by someone stealing the laptop, it contains an
encrypted file system whose files are not easily accessed without the key.
This technique can be easily used for VistA on Linux in lieu of
encrypted databases. Since it is a straight through layer, rather than
one with caching, we don't have to worry about losing buffers in the
event of a crash.
-- Bhaskar
* Had I been concerned about the NSA stealing his laptop, I would have
written pseudo random data from /dev/urandom or /dev/random onto the
physical partitions before restoring the contents. But this would have
taken several hours, and I felt that a casual thief was more of a
concern than the NSA.
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/openhealth/
<*> Your email settings:
Individual Email | Traditional
<*> To change settings online go to:
http://groups.yahoo.com/group/openhealth/join
(Yahoo! ID required)
<*> To change settings via email:
mailto:[EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
