On Sun, Jul 19, 2009 at 03:48:25PM +0100, Frank Leonhardt (t200907@fjl.co.uk) wrote:
Encrypting the whole disk is good if the server gets pinched. My servers are behind several layers of hi-tech locks with permanent security guards on
On 19/07/2009 16:03, Tapani Tarvainen wrote: the
door. I'm not too worried about them.
How much good do your locks do when police comes and wants to confiscate your servers because they suspect one of your users has done something criminal? Do you trust they take as good care of the machines as you do?
How do you know I'm *not* the Police?
We're in very interesting territory here, and it's going to depend on your local laws. In England the police are pretty okay about things, and are glad to have you extract the data yourself. If they really want to do it themselves it's easy enough to give them half a mirror.
I'm not in favour of whole disk encryption for data recovery and forensic reasons.
Some people favour it for the very same reasons...
Again, it depends on the jurisdiction. In England, if you can't decrypt the data it can be a bit awkward (RIPA) - unless it's clearly NOT your data in the first place (i.e. a message body).
Protection against a rogue admin by encryption is a red herring. Such a person would simply not enable the encryption in the first place.
Here I beg to differ. You are right in the simple situation where there's just one admin who's a crook to begin with, but often enough there're several and only one (or few) unreliable ones among them, and even if they're all good they can be forced by their bosses or blackmailers or even untrustworthy authorities. This is not purely theoretical, I can assure you.
Yes, but the rogue administrator ought to be able to circumvent encryption anyway - if it's whole disk it's effectively not encrypted. It'd rely on a policy of someone else periodically checking the files to see if they were still encrypted - don't see that happening somehow! And even then, an administrator could easily tee the data off before its stored.
The main reason I'd be in favour of application-based file encryption is to get around the fact that whole-disk encryption is meaningless as protection from the operator - if the operator is dodgy (or someone's bypassed security) then they can read the mail files just as easily as everything else. If the files themselves are encrypted then access to the running system won't reveal their contents (although it would help).