[dm-crypt] Can SED/FDE limit access to a particular user?
dm-crypt at mdsresource.net
Thu Dec 12 16:18:11 CET 2013
We have to protect sensitive files and keep them available for use by a
particular user for 7+ years
We prefer self encrypted disk (SED), but, it's being too difficult to get a
straight answer regarding do-ability of our application. We are currently
using LUKS filesystems on several servers - so we know how good this is. We
do not, however, know whether or not we can do what we want with it.
We understand how full disk encryption (FDE) normally works: once the drive
is decrypted (via key/password, etc.) then the whole drive is visible to
whomever has system access
We do NOT want that.
Ideally, the drive will be unreadable to everybody. During a brief period
of time when a new file is to be written to the drive and also a brief
period of time when a particular file is to be read from disk, a specific
user would "unlock" the drive for this specific task, after which the whole
drive will be unreadable to everybody.
We would consider other scnearios; but, it is essential that all of the
contents of this disk are unreadable to everybody, except one particular
Furthermore, as a file server application serving enterprise critical
files, redundancy is also a high priority. Currently, we run several SANs
with RAID 6 and prefer similar redundancy for this application.
Almost all of our servers are Linux based and we prefer the same here.
We do a high volume of PGP/GPG file encryption for file transfer; but, we
prefer FDE for static files
How can we accomplish this?
Please, advise. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dm-crypt