[SOLVED] full disk encryption

Similar Messages

• [SOLVED] full disk encryption uefi motherboard queston about /boot

  I a little confused got a new pc and I'll be installing in the uefi manner with lvm on luks and  with the efi system partition having the kernel and initramfs copied over will that completely serve as my boot partition or do i still need an unencrypted /boot?
  Last edited by haVok1701 (2013-05-09 23:53:38)

  re: Using an ESP that's separate from /boot:
  WonderWoofy wrote:The only time this makes sense is if you are using something that can actually read the /boot partition (that is ext{2,3,4}, btrfs, etc.).  I think that all the UEFI bootloaders can do this, and of the boot managers rEFInd can do this as well.
  The capabilities of boot managers and boot loaders are more complex than this:
  The ELILO boot loader relies on the EFI to read the kernel and initrd file. Normally, this means that they must reside on a FAT partition (usually the ESP), although if some other tool has loaded an EFI filesystem driver, that filesystem can be used. The ELILO documentation refers to a capability to read kernels from something other than ELILO's partition, but I've never figured out how to get that to work. (The documentation doesn't say how to specify another partition -- a frustrating omission.)
  Fedora's patched GRUB Legacy boot loader has built-in drivers that enable it to read ext2/3/4fs, ReiserFS, XFS, JFS, and I believe Btrfs, as well as several non-Linux filesystems (I think these include FAT, HFS+, and ISO-9660, but I'm not positive of that). It can't handle LVM, RAID, or encrypted setups, though.
  The GRUB 2 boot loader can read everything that GRUB 2 can, plus LVM and RAID setups. I'm not sure about encryption, offhand.
  The kernel's EFI stub loader relies on the firmware to read its initrd file, and so can read whatever the firmware can read -- just FAT by default, but this can be extended via an EFI driver.
  The gummiboot boot manager relies on the EFI to read the kernel, and gummiboot provides no means to launch drivers. It's also restricted to reading files from the partition from which it was launched. Thus, as a practical matter, gummiboot works only if the kernel is on the ESP, or at least on a FAT partition, or HFS+ on a Mac. (It's possible to rig up a system in which rEFIt or rEFInd launches gummiboot from a non-FAT partition, but that's overly-complex, IMHO.)
  The rEFInd boot manager relies on the EFI to read the kernel. Unlike most other tools, though, rEFInd can launch EFI drivers prior to scanning filesystems. It can also launch kernels from any partition that the EFI can read. rEFInd ships with drivers for ext2/3fs, ext4fs, ReiserFS, HFS+, and ISO-9660, but not for XFS, JFS, or Btrfs. If you find or write another EFI filesystem driver, rEFInd could launch it. AFAIK, there are no EFI drivers for LVM, RAID, or Linux encryption systems. Thus, as a practical matter, rEFInd can launch kernels stored on the most popular Linux filesystems, but not from LVM, RAID, or encrypted partitions.
  The rEFIt boot manager (rEFInd's predecessor) is not ideal for launching Linux kernels directly, although it can be done if you jump through enough hoops. It comes with ext2/3fs and ReiserFS drivers, but not the other drivers that rEFInd supports. (You could use rEFInd's drivers with rEFIt, though.) It can launch a boot loader from any partition that the EFI can read.
  I realize that's a lot of detail to take in, and it makes it impossible to draw broad conclusions about filesystem support of boot loaders vs. boot managers. Instead, though, I'd say that they can be ordered, from most flexible to least flexible, as: GRUB 2, GRUB Legacy, rEFInd, rEFIt, ELILO, and finally gummiboot.

• X220 SSD Drive w/Full Disk Encryption (FDE), Intel 320 or others

  Does anyone have experience or recommendations regarding installing an SSD with Full Disk Encryption for the X220?
  Solved!
  Go to Solution.

  I have a 300GB Intel 320 which I installed it myself (cloned the factory install using Acronis). No mSATA drive.
  Hope this helps!
  I don't work for Lenovo. I'm a crazy volunteer!

• Full Disk Encryption HP TM2T

  Can anyone recommend a full disk encryption software package that won't hang my machine? I tried using Truecrypt v6.3a to encrypt my Windows 7 x64 HP TM2T laptop and I nearly lost everything. After encryption it just hung at the boot screen where it shows the HP logo. Someone said it was a conflict with the Intel Dual processor.
  Anyway, has anyone had any luck with full disk encryption?
  Thanks!

  Hi,
  I ahve the exactly same problem, how did you solve this...cant do anything as my computer is totally locked

• Cisco Agent Desktop / Supervisor Desktop Issue with Full Disk Encryption

  Has anyone had any issues related to running Cisco Agent Desktop or Cisco Supervisor Desktop on a machine running full disk encryption?  Our desktop team installed full disk encryption software from Check Point, and it seams to be causing some issues with call monitoring, screen pops via workflow and connectivity to the UCCX server.  It's not effecting every machine (that we know of), but the fix for us right now is to provide a desktop without the encryption software.  I'm just wondering if this is related to us, or if there is any supporting documentation out there? 
  Any help is apprecicated.

  CAD for IPCCX v4 does not support windows 7. See compatibility matrix:
  http://www.cisco.com/en/US/docs/voice_ip_comm/cust_contact/contact_center/crs/express_compatibility/matrix/crscomtx.pdf
  In my experience if you already have CAD installed and you upgrade the OS (without a fresh rebuild) CAD will work - but it is NOT supported. You should test this though.
  You will not be able to install the older version of CAD on windows 7, the installer will give you errors.
  Brian
  please rate helpful posts

• Need 256 Bit AES Full Disk Encryption for a Mac.  The other discussions regarding this issue are very old.  Does anyone have any current advice regarding encryption software?

  Does anyone have any advice regarding 256 bit full disk encryption software for Macs?  The other discussions on the topic are years old, so I would like some current input.  Thanks for your help in advance.

  Depending on your Mac, you might not want to upgrade to OS X 10.7 or 10.8 as it will not run the PowerPC based software your currently using costing a bundle to replace it all, also they will slow down your machine if it's not a more recent issue. You don't want to upgrade OS X without AppleCare defending your possibly bricked logicboard that's for sure.
  Filevault encrypts the boot drive, however in doing so makes it near impossible to fix if you have a software issue and need to recover files directly or by using specialty software. Also it robs the machine of performance even more than the Lions do. So you will really need a SSD to work best with 10.7/10.8 and Filevault, then it has to be freshly installed. Filevault needs 50% free space on the boot drive, then it's going to write to the slower 50% half of the hard drive where performance is terrible compared to the first 50%.
  Also Filevault is cracked under certain conditions, and if someone gets their hands on the machine (like the law) and knows what they are doing.
  If you take your Filevaulted machine to Apple to fix, they are going to require the password to fix the machine obviously.
  Software based encryption is vulnerable, you might want to instead place your sensitive data on external self-encrypting hardware that doesn't rely upon software or computer hacks/bypasses (ike freezing the RAM) to get to it.
  http://www.datalocker.com/products/datalocker-dl3.html
  Iron Keys for portable USB self encryption, both work with any computer, so your not locked into one platform.
  With the senstive data off the computer and on a external device, there is the option of removing, hiding and securing the device. If used with a computer that's never connected to the Internet, it's safe from snoopers, except from a survelliance van parked outside your door.

• Full disk encryption for the Mac ?

  I desperately require a security measure against data compromise in the event of a physical theft of one of my Macs.
  Is there some full disk encryption solution, similar to the TrueCrypt solution for Windows, that can work with a Mac? (TrueCrypt works on Mac but not its feature of full disk encryption)
  Any other ideas on reinforcing security in such physical theft incidents?
  Thanks!

  Visited http://www.macintouch.com/
  PGP Corporation is now shipping PGP Desktop 9.9 for Mac OS X, a major update of the encryption software. Highlights of this release include full support for pre-boot authentication, full support for external drives (including the sharing of Whole Disk Encrypted thumb drives between Mac and Windows clients), use of the FIPS 140-2 validated PGP SDK for cryptographic operations,
  http://www.pgp.com/

• Winmagic Securedoc and New Macbook Pro for Full Disk Encryption (FDE)

  Hi, I wonder if anyone had any experience with this. I've installed a seagate Momentus FDE drive (...421 series) on my new macbook pro and tried installing Winmagic securedoc to manage full disk encryption. It seems that despite all their recommendations re: hibernatemode and lidwake and sleep vs hibernation, the MBP crashes when I close the lid and then awaken it (by opening and pressing the power button). It cannot be awakened via an external keyboard either. Note that both hibernate and sleep work fine without securedoc. As securedoc appears to be the only viable FDE solution, I'd really like to get it working. Has anyone had any luck getting it to work with the new MBPs?

  PGP is another alternative as I have used it for the past few years on all of my Macbook Pros. I also own SecureDoc but have not installed it on the new Macbook yet.
  I do know that PGP disables hibernate during the install as it can cause problems.

• Request To Blackberry: Full-Disk Encryption

  The current encryption option for the SD card encrypts ONLY the data contents, and NOT the full structure of the filesystem. 
  As it stands right now pulling an encrypted SD card from the Z-10 and inserting it into a Windows machine divulges the entire filesystem structure with names and modification dates intact.  The data itself is encrypted and the file size padded out to the next 4k size, which appears to be the block size of the encrpytion system.
  While this prevents Windows from considering the card "unformatted" and thus randomly offering to destroy it with a single click (which it would otherwise do) the file names, mod times and sizes confer quite a bit of information to a hostile party who comes into possession of the device and its memory card.
  Having the choice of that not being the case (as is true for full-disk encryption on FreeBSD and other systems such as TrueCrypt) would be nice, even though it does some with a greater risk of accidental destruction should you insert the card into some other device by accident.
  Market Information? Come read The Market Ticker!

  wtaylor72,
  It appears that in the past few days you have not received a response to your
  posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Visit http://support.novell.com and search the knowledgebase and/or check all
  the other self support options and support programs available.
  - You could also try posting your message again. Make sure it is posted in the
  correct newsgroup. (http://forums.novell.com)
  Be sure to read the forum FAQ about what to expect in the way of responses:
  http://forums.novell.com/faq.php
  If this is a reply to a duplicate posting, please ignore and accept our apologies
  and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://forums.novell.com/

• Anyone using SecureDoc Full-Disk Encryption for Mac from WinMagic?

  Currently I am using Mac OS X v10.5 on a MBP and want to upgrade to Snow Leopard. I use PGP full disk encryption.
  I do not want to wait anymore for PGP v10 before I can upgrade to Snow Leopard. In my search for a replacement for PGP I found SecureDoc Full-Disk Encryption for Mac from WinMagic.
  https://www.winmagic.com/products/full-disk-encryption-for-mac
  They claim to be Snow Leopard compatible
  https://www.winmagic.com/kw/download.php?url=/datasheets/securedocmac_brochure20090925a.pdf
  I have two questions:
  1) Does anyone have experience with SecureDoc Full-Disk Encryption for Mac from WinMagic?
  2) Where can I buy one? PGP has a store where I ordered my copy of the software. But I can't find a store anywhere for SecureDoc. With some trouble I found a reseller in the Netherlands, but they don't reply to any questions.

  I am currently testing a trial license from Checkpoint Full Disk Encryption.
  http://www.checkpoint.com/products/datasecurity/pc/index.html
  The company where I work is a Checkpoint reseller, and normally only has dealings with other companies, not end users. But we arranged a trial license and I can buy a single user license Checkpoint Full Disk Encryption if the test proves Checkpoint Full Disk Encryption is a good solution.
  I created a bootable usb disk with Snow Lepoard on it. But I was unable to install FDE on it. After reboot I only get a blank screen, that's it. Probably it isn't supported to boot from a full disk encrypted removable drive, I can understand that.
  I can't create a virtual Snow Leopard machine (legal reasons) to test it on. And all FDE solutions I found aren't compatible with Mac Server, which is a shame because you can virtualize Mac Server legally.
  So now I am planning to change the hard-disk of my MBP this evening with another hard-disk to test Checkpoint FDE there. I don't want to upgrade my current Leopard installation to Snow Leopard only to discover it doesn't work as expected. I could of-course use my current installation and when it doesn't work rollback to a timemachine backup, but before that I have to decrypt my disk and uninstall PGP witch will take 1-2 days, and encrypt again when the test is over. Not pratical.
  I will let you know how the test with Checkpoint Full Disk Encryption went!

• Leopard full disk encryption

  Currently I own a Macbook Pro and an iMac, both running Leopard. In particular for my MacBook Pro, I am desperately looking for a full disk encryption product. I know there is FileVault. But it will only encrypt the home directory. All other products will not encrypt the boot partition, so its pretty pointless for a laptop. Another problem is that Time Machine will not work well on FileVault directories.
  I looked everywhere, but no luck so far. Given the popularity of Mac laptops, its kind of odd that there is not more around. Soon I won't be able to use my Macbook Pro on the road anymore as our corporate policy is going to require full disk encryption of all laptops soon

  I think that you're out of luck at the moment, heres an article that might give some hope for the future.
  http://www.news.com/8301-10784_3-9869812-7.html

• Can host hacker break into guest that uses full disk encryption?

  I know it is unlikely but let us say host has got owned, ie a hacker has managed to break into the host.
  How would they go about breaking into a linux VM that uses full disk encryption?
  They can't mess with the .vmdk without damaging it - it is encrypted by the guest.
  They can't use vmrun because they do not know the guest passwords.
  They can't attach to processes in the guest with debugging tools because they cannot see individual guest processes.
  What can they do?  And crucially, what can I do as a countermeasure?

  What really matters is WHERE you do the encryption. If the encryption is too low, data in the guest appears unencrypted. If it is in the guest, then the keys live in the guest and since SGX is not around at the moment, keys are somewhere in guest memory even for a little bit of time.
  So the real question is what are you trying to achieve?
  If you are trying to meet encryption at rest requirements then it makes no difference where you encrypt as the data on the disk will be encrypted and without the key no one can decrypt it. Now if you have keys generated within a VM without using DRNGD or some other high quatlity randomness source, then your keys could be predictable and you need to guard against making it easy for a brute force attack.
  If you need to encrypt data in motion?
  Then you need to consider how the VM is protected itself, how an application interacts with data to determine during 'motion' if someone should not be accessing the data even though they are already supposedly allowed to do so. Keys are in memory, so therefore you need to guard memory access for those keys to only the application in question. This is the hard part, and requires you to think seriously about logging, key management, etc.
  So really what are you trying to achieve?
  Best regards,
  Edward L. Haletky
  VMware Communities User Moderator, VMware vExpert 2009-2015
  Author of the books 'VMWare ESX and ESXi in the Enterprise: Planning Deployment Virtualization Servers', Copyright 2011 Pearson Education. 'VMware vSphere and Virtual Infrastructure Security: Securing the Virtual Environment', Copyright 2009 Pearson Education.
  Virtualization and Cloud Security Analyst: The Virtualization Practice, LLC -- vSphere Upgrade Saga -- Virtualization Security Round Table Podcast

• CheckPoint Endpoint full disk encryption

  My previous employer mandated CheckPoint Endpoint full disk encryption on every machine accessing their intranet. Since I have not worked there for two years, their IT group refuses to support my MB air. I am trying to update my OS, but Endpoint will not allow this. I like the encryption, but if I had to choose, I would pick an updated OS. Does anyone know how to do this?

  Back up all data to at least two different storage devices, if you haven't already done so. One backup is not enough to be safe. The backups can be made with Time Machine or with Disk Utility. Preferably both.
  Erase and install OS X. This operation will destroy all data on the startup volume, so you had be better be sure of the backups. If you upgraded from an older version of OS X, you'll need the Apple ID and password that you used, so make a note of those before you begin.
  When you restart, you'll be prompted to go through the initial setup process in Setup Assistant. That’s when you transfer the data from a backup.
  Select only users and Computer & Network Settings in the Setup Assistant dialog—not Applications or Other files and folders. Don't transfer the Guest account, if it was enabled.
  After that, check the App Store for updates and install the third-party software you need.
  Before installing any software, ask yourself the question: "Am I sure I know how to uninstall this without having to wipe the volume again?" If the answer is "no," stop.
  Never install any third-party software unless you know how to uninstall it.

• T61 full disk encryption question

  I have T61 laptop model 6464 4YU 
  Can I use full disk encryption if I upgrade my hard drive   or I have to by a laptop model that support FDE.
  There is a lack of information about FDE. I only found FAQ on Lenovo web site.
  I have called Lenovo support, but rep. could give me a clear answer.
  Thanks  

  Your T61 supports FDE - see here, here, here, and here.
  Don

• X220 with Samsung SSD 830: Success? Full Disk Encryption (FDE)?

  1. Have any of you tried installing a Samsung SSD 830 Series drive in the X220, and if so can you recommend or dis-recommend?
  2. Can anyone definitively verify whether or not the SSD 830 drives support full disk encryption?  I see conflicting information about that on the internet...
  Thank you.

  I have finally gotten an answer from Samsung regarding encryption.  Sounds like hardware FDE is only supported on the OEM version, not on the consumer version:
  My Question:
  Does the SSD 830 (Notebook 256G version: MZ-7PC256N) support Full Disk Encryption (FDE) with a password through the BIOS? I read on the web that your enterprise version of this product does support FDE, but it's not clear whether or not that is also supported on the consumer version.
  Their Response:
  Dear Customer...The retail market 830 series SSD does not natively support FDE. Only OEM version of the unit have the encryption placed. Samsung recommends the use of programs to encrypt the data on the drive... Thank You for choosing Samsung.