[dm-crypt] Can SED/FDE limit access to a particular user?

helices dm-crypt at mdsresource.net
Thu Dec 12 16:18:11 CET 2013


We have to protect sensitive files and keep them available for use by a
particular user for 7+ years

We prefer self encrypted disk (SED), but, it's being too difficult to get a
straight answer regarding do-ability of our application. We are currently
using LUKS filesystems on several servers - so we know how good this is. We
do not, however, know whether or not we can do what we want with it.

We understand how full disk encryption (FDE) normally works: once the drive
is decrypted (via key/password, etc.) then the whole drive is visible to
whomever has system access

We do NOT want that.

Ideally, the drive will be unreadable to everybody. During a brief period
of time when a new file is to be written to the drive and also a brief
period of time when a particular file is to be read from disk, a specific
user would "unlock" the drive for this specific task, after which the whole
drive will be unreadable to everybody.

We would consider other scnearios; but, it is essential that all of the
contents of this disk are unreadable to everybody, except one particular
user.

Furthermore, as a file server application serving enterprise critical
files, redundancy is also a high priority. Currently, we run several SANs
with RAID 6 and prefer similar redundancy for this application.

Almost all of our servers are Linux based and we prefer the same here.

We do a high volume of PGP/GPG file encryption for file transfer; but, we
prefer FDE for static files

How can we accomplish this?

Please, advise. Thank you.

~ helices
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20131212/c3170051/attachment.html>


More information about the dm-crypt mailing list