Chatable
asked on
Any cross platform disk encryption software?
Hello,
I need a full disk encryption software that is cross platform with Windows and Linux operating system. The issue is the target computer has both OSes installed and has GRUB giving the user the choice which one to boot.
I need a solution that does full disk encryption at sector level + pre-boot authentication. Please do not offer any container based solutions.
I've searched the net for hours and found many solutions but almost all are designed specifically for MS Windows OS. A few are designed for Linux but none is compatible with both.
Anyone knows a good one?
I need a full disk encryption software that is cross platform with Windows and Linux operating system. The issue is the target computer has both OSes installed and has GRUB giving the user the choice which one to boot.
I need a solution that does full disk encryption at sector level + pre-boot authentication. Please do not offer any container based solutions.
I've searched the net for hours and found many solutions but almost all are designed specifically for MS Windows OS. A few are designed for Linux but none is compatible with both.
Anyone knows a good one?
If not what you need, I think your unique change will be have different encryptions schemes to differents OS, like:
Encrypting File System (for Win):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223316
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Linux Crypto API kernel support:
http://tldp.org/HOWTO/Disk-Encryption-HOWTO/
http://www.sdc.org/~leila/usb-dongle/readme.html
Both methods support external factor to initialize and authenticate, for example ask for a password key, or ask for a flopy with key, or a usb with a key, etc...
Hope this help,
Cheers
Encrypting File System (for Win):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q223316
http://www.microsoft.com/technet/security/topics/cryptographyetc/efs.mspx
http://www.microsoft.com/technet/prodtechnol/winxppro/deploy/cryptfs.mspx
Linux Crypto API kernel support:
http://tldp.org/HOWTO/Disk-Encryption-HOWTO/
http://www.sdc.org/~leila/usb-dongle/readme.html
Both methods support external factor to initialize and authenticate, for example ask for a password key, or ask for a flopy with key, or a usb with a key, etc...
Hope this help,
Cheers
If you want the data stored on the HD to be truely encrypted, regardless of OS, or file format (ie NTFS, EXT2, EXT3, Fat...) then you can use an encrypted HD, where the HD does the encryption, not the OS or an app on the OS. There are encryption programs that are cross platform, like TrueCrypt, PGP, GPG etc...
Using the always encrypted HD, even the OS's don't even know the HD data is encrypted, because the IO board of the HD is doing all the encryption/decryption
You have to enter a passphrase to boot the HD, and it's not able to be reset from what I know, so you loose that, and you've wasted your money.
http://www.eweek.com/article2/0,1759,1825740,00.asp
Again it's invisible to the OS, so it's not dependant on format or os whatsoever.
As far as I know, it's only available on notebook drives, however you can use a notebook drive in a regular PC, two cheap cables are all it takes, one to convert to IDE the other to convert the power plug to the smaller form factor.
https://searcheng.seagate.com/cs.html?charset=UTF-8&la=en&qt=fde&url=http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf&col=www
-rich
Using the always encrypted HD, even the OS's don't even know the HD data is encrypted, because the IO board of the HD is doing all the encryption/decryption
You have to enter a passphrase to boot the HD, and it's not able to be reset from what I know, so you loose that, and you've wasted your money.
http://www.eweek.com/article2/0,1759,1825740,00.asp
Again it's invisible to the OS, so it's not dependant on format or os whatsoever.
As far as I know, it's only available on notebook drives, however you can use a notebook drive in a regular PC, two cheap cables are all it takes, one to convert to IDE the other to convert the power plug to the smaller form factor.
https://searcheng.seagate.com/cs.html?charset=UTF-8&la=en&qt=fde&url=http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf&col=www
-rich
How about FREE CompuSec® (http://www.ce-infosys.com.sg/CeiProducts_FREE_compusec.asp) - it's FREE and there are Linux Red Hat & SuSe distributions available!
Hello,
But neither of this programs like TrueCrypt, PGP, GPG, CompuSec®,... are full HD encryptions like requested encrypting boot sector, initializations sectors, etc..., right?
Cheers,
But neither of this programs like TrueCrypt, PGP, GPG, CompuSec®,... are full HD encryptions like requested encrypting boot sector, initializations sectors, etc..., right?
Cheers,
No, they aren't. The SeaGate drives I linked to are however. Currently only offered for notebook size drives, but easily fitted/comverted to work in a workstation via two conversion cables.
CompuSec has a hardware device that can be placed in a PCI slot and provide an encrypted NIC connection for use with other IPSEC tunnels, or a plain-text nic for unenctypted traffic. It also claims to do full disk encryption, however I'm not sure how as the HD is never directly plugged into the pci device, it's possible that the device will intercept and manipulate calls to the HD, however it seems very risky to function like that. The other CompuSec offering, the free one, is simply a boot loader that pre-empts other boot loaders, and scrambles the HD contents, also seems a bit risky as it would need to be a kernel unto itself to accomplish it's task, it is software after all.
-rich
CompuSec has a hardware device that can be placed in a PCI slot and provide an encrypted NIC connection for use with other IPSEC tunnels, or a plain-text nic for unenctypted traffic. It also claims to do full disk encryption, however I'm not sure how as the HD is never directly plugged into the pci device, it's possible that the device will intercept and manipulate calls to the HD, however it seems very risky to function like that. The other CompuSec offering, the free one, is simply a boot loader that pre-empts other boot loaders, and scrambles the HD contents, also seems a bit risky as it would need to be a kernel unto itself to accomplish it's task, it is software after all.
-rich
ASKER
omb - Yeah I know about CompuSec but unfortunately the distribution I have installed is Debian, which is not supported in CompuSec (and the source code for the module is not available..) - otherwise I would have used it.
zgrp - BestCrypt, TrueCrypt, etc.. are not full disk encryption software. Yes, the container can be a partition rather than a file but it is still not a full disk encryption software because it cannot encrypt the partition that the OS boots from.
I can't use two solutions for the two OSes because they're both installed on a single system and I doubt it if it's possible for two "full disk encryption" programs to coexist and even if it was - In addition to the two OSes there is also a FAT partition on the disk which is shared between the OSes obviously that solution will block access to one of them.
richrumble - A hardware solution is generally a good idea but I've been unable to find any such device sold in the local stores and ordering it form abroad means huge shipping costs (if it even arrives at all with that US export restriction on cryptographic material). Even if I do go with this solution (which I consider a last option) I would probably try to separate it from the HD itself (because I don't want to pay those extra hundred $$$s again when I replace my HD to a larger one). Maybe a USB dongle based solution?
zgrp - BestCrypt, TrueCrypt, etc.. are not full disk encryption software. Yes, the container can be a partition rather than a file but it is still not a full disk encryption software because it cannot encrypt the partition that the OS boots from.
I can't use two solutions for the two OSes because they're both installed on a single system and I doubt it if it's possible for two "full disk encryption" programs to coexist and even if it was - In addition to the two OSes there is also a FAT partition on the disk which is shared between the OSes obviously that solution will block access to one of them.
richrumble - A hardware solution is generally a good idea but I've been unable to find any such device sold in the local stores and ordering it form abroad means huge shipping costs (if it even arrives at all with that US export restriction on cryptographic material). Even if I do go with this solution (which I consider a last option) I would probably try to separate it from the HD itself (because I don't want to pay those extra hundred $$$s again when I replace my HD to a larger one). Maybe a USB dongle based solution?
Hi
SafeBoot (http://www.safeboot.com/) will do the job you require - this is a whole disk encryption product that allows for centralised management, and will prompt for a username / password before you can boot the O/S.
As it is whole disk it works fine with any O/S - I have an XP / fedora laptop sitting beside me happily encrypted with SafeBoot.
I'm sure there are several similar products available.
cheers
K
SafeBoot (http://www.safeboot.com/) will do the job you require - this is a whole disk encryption product that allows for centralised management, and will prompt for a username / password before you can boot the O/S.
As it is whole disk it works fine with any O/S - I have an XP / fedora laptop sitting beside me happily encrypted with SafeBoot.
I'm sure there are several similar products available.
cheers
K
Hi,
You should also consider DESlock+ (www.deslock.com), it's one of the most highly-used encryption systems around:
DESlock+ protects your data transparently with fast file, folder and email encryption. It can be used to encrypt any data including personal files, corporate information, confidential records and email attachments.
Licensing options include a dedicated USB security token or Software licences for less complex applications, providing a low cost business solution or a completely free means to protect your personal information.
The main features of DESlock+ are:
Email Encryption
Folder Encryption
File Encryption
Mountable Encrypted Files (Volumes)
Compressed Encrypted Archives
Clipboard & Text Encryption
Secure File Deletion
Multiple, Shared Encryption Keys
DESlock+ provides the type of security demanded by today's risks with an unprecedented ease of use and flexibility. With no need to work through a new user interface or mount drives, users plug-in, log-on and work. Simple.
You should also consider DESlock+ (www.deslock.com), it's one of the most highly-used encryption systems around:
DESlock+ protects your data transparently with fast file, folder and email encryption. It can be used to encrypt any data including personal files, corporate information, confidential records and email attachments.
Licensing options include a dedicated USB security token or Software licences for less complex applications, providing a low cost business solution or a completely free means to protect your personal information.
The main features of DESlock+ are:
Email Encryption
Folder Encryption
File Encryption
Mountable Encrypted Files (Volumes)
Compressed Encrypted Archives
Clipboard & Text Encryption
Secure File Deletion
Multiple, Shared Encryption Keys
DESlock+ provides the type of security demanded by today's risks with an unprecedented ease of use and flexibility. With no need to work through a new user interface or mount drives, users plug-in, log-on and work. Simple.
ASKER
HyeProfile, do you work for "data encryption systems"? Because your message looks a lot like an advertisement.
Still, I wouldn't mind but please at least read my question before you suggest (or advertise) any solutions. deslock does not fit my needs because:
* It does not support Linux
* It does not support full disk encryption
Both these features were asked for in my question. If/when these features are added, I'll consider it (and probably even go for it since currently there appear to be no others).
Still, I wouldn't mind but please at least read my question before you suggest (or advertise) any solutions. deslock does not fit my needs because:
* It does not support Linux
* It does not support full disk encryption
Both these features were asked for in my question. If/when these features are added, I'll consider it (and probably even go for it since currently there appear to be no others).
Actually, you're right, there isn't any Linux distrubution of DESLock+... And DESlock doesn't support disk encryption... No, I don't work for data encryption systems, but it's funny how people find themselves boasting about the software that they use when it's not even that great... You know what, you made me reevaluate my encryption software needs...
DES (the encryption algorithm, triple-DES to be more precise), and not DESLock+ (the software), IS truely cross-platform, and the fasted one around... So I could easily switch to another software that decrypts DES, and voila...
You said:"zgrp - BestCrypt, TrueCrypt, etc.. are not full disk encryption software. Yes, the container can be a partition rather than a file but it is still not a full disk encryption software because it cannot encrypt the partition that the OS boots from."
I did some searching, and I found that TrueCrypt (http://www.truecrypt.org/downloads.php) not only does file encryption, but disk encryption at the partition level and also at the boot-level (you emulate a bootable partition on pre-boot with Virtual PC, have TrueCrypt encrypt it, then load the OS)... I looked at the FAQ (http://www.truecrypt.org/faq.php) and it states that :
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
Q: Can TrueCrypt encrypt a Windows boot partition?
A: Yes, but not directly. TrueCrypt can on-the-fly encrypt a disk image containing an installed operating system that you run (boot) under virtual machine (or emulation) software, such as Bochs, QEMU, VMware, or Virtual PC.
You should look into it, but SAfeBoot & CompuSec sound much better for boot-level protection...
DES (the encryption algorithm, triple-DES to be more precise), and not DESLock+ (the software), IS truely cross-platform, and the fasted one around... So I could easily switch to another software that decrypts DES, and voila...
You said:"zgrp - BestCrypt, TrueCrypt, etc.. are not full disk encryption software. Yes, the container can be a partition rather than a file but it is still not a full disk encryption software because it cannot encrypt the partition that the OS boots from."
I did some searching, and I found that TrueCrypt (http://www.truecrypt.org/downloads.php) not only does file encryption, but disk encryption at the partition level and also at the boot-level (you emulate a bootable partition on pre-boot with Virtual PC, have TrueCrypt encrypt it, then load the OS)... I looked at the FAQ (http://www.truecrypt.org/faq.php) and it states that :
Q: It is possible to mount a single TrueCrypt volume from multiple operating systems (for example, a volume shared over network)?
A: Yes, but the volume must be mounted in read-only mode under each of the systems (see the section Mount Options in the documentation). Note that this requirement is not related to TrueCrypt but, for example, to the fact that data read from a conventional file system under one OS while the file system is being modified by another OS might be inconsistent.
Q: Can TrueCrypt encrypt a Windows boot partition?
A: Yes, but not directly. TrueCrypt can on-the-fly encrypt a disk image containing an installed operating system that you run (boot) under virtual machine (or emulation) software, such as Bochs, QEMU, VMware, or Virtual PC.
You should look into it, but SAfeBoot & CompuSec sound much better for boot-level protection...
kevinf40, how do you rate the performance of on-the-fly decryption of SafeBoot??? Have you tried playing games before and after you installed SafeBoot...
chatable, did you look into SafeBoot???
btw, it seams to me that having a pre-boot encryption system is pointless if you intend to run windows on it (unless you're really afraid of compromising your info through theft, or you're james bond and you don't want blowfeld to get a hold of your HD with a list of MI5 agents)... With all of Windows' inherent flaws & weaknesses, you would still need to nest additional levels of encryption that you would access if and only-if you've disabled every single flaw in Windows & you know that the data won't be compromised... Cuz it seams that the person who's so intent on getting a hold of your files would rather hack through windows after you've authenticated & booted up instead of trying to physically get a hold of your files... but then again, maybe having both would be the best!!!
chatable, did you look into SafeBoot???
btw, it seams to me that having a pre-boot encryption system is pointless if you intend to run windows on it (unless you're really afraid of compromising your info through theft, or you're james bond and you don't want blowfeld to get a hold of your HD with a list of MI5 agents)... With all of Windows' inherent flaws & weaknesses, you would still need to nest additional levels of encryption that you would access if and only-if you've disabled every single flaw in Windows & you know that the data won't be compromised... Cuz it seams that the person who's so intent on getting a hold of your files would rather hack through windows after you've authenticated & booted up instead of trying to physically get a hold of your files... but then again, maybe having both would be the best!!!
Hi HyeProfile
Performance is fine. I have not used it on a games machine though.
Opening, copying and moving large files is fine with no obvious performance deficits (no doubt it is slightly slower but the encryption / decryption is pretty fast - we use it across hundreds of laptops with a variety of specs without issue).
The point of this form of encryption (whether built into the drive, of as additional software) is exactly as you suggest - it wont fix flaws in any O/S but should a laptop be lost or stolen the data on the drive will be safe which to most businesses is likely to be worth considerably more than the hardware.
I think you opinion regarding windows it however a whole other debate....! ;)
Performance is fine. I have not used it on a games machine though.
Opening, copying and moving large files is fine with no obvious performance deficits (no doubt it is slightly slower but the encryption / decryption is pretty fast - we use it across hundreds of laptops with a variety of specs without issue).
The point of this form of encryption (whether built into the drive, of as additional software) is exactly as you suggest - it wont fix flaws in any O/S but should a laptop be lost or stolen the data on the drive will be safe which to most businesses is likely to be worth considerably more than the hardware.
I think you opinion regarding windows it however a whole other debate....! ;)
ASKER
HyeProfile - I've been to safeboot's website and it's hard to get any relevant information from there. The whole website looks like a sales pitch, not a single technical details. I couldn't determine its system requirements, let alone whether it supports Linux. In addition it seems that safeboot is very targeted towards corporate customers. When they don't even state a retail price for the product but use the blur term "contact the sales department for more information" I know that I don't want to get anywhere near this.
It's not pointless to use pre-boot authentication software on a Windows machine. Obviously you can't trust it as the single security measurement and uninstall your anti-virus, firewall etc, but it does work for the case of your laptop being stolen.
About truecrypt - It seems that its developers are very much against boot protection so it can't be used as a solution. I don't want to use any vmware-style solutions because a) they don't allow transparent access to the physical hardware (so some devices may have problems and/or not work at all) and b) they will slow down my PC, which is already slow.
It's not pointless to use pre-boot authentication software on a Windows machine. Obviously you can't trust it as the single security measurement and uninstall your anti-virus, firewall etc, but it does work for the case of your laptop being stolen.
About truecrypt - It seems that its developers are very much against boot protection so it can't be used as a solution. I don't want to use any vmware-style solutions because a) they don't allow transparent access to the physical hardware (so some devices may have problems and/or not work at all) and b) they will slow down my PC, which is already slow.
chatable, i agree with you fully, safeboot doesn't look very consumer-friendly... i'm assuming it's based on either DES, AES, or some other symmetric encryption algorithm (has to be if there's very little performance loss)...
as for truecrypt, again, i must agree with you...
encryption software programmers should step up to this challenge...
as for truecrypt, again, i must agree with you...
encryption software programmers should step up to this challenge...
ASKER
It's not really the challenge - the issue is that it's hard to find ANY software today that is cross-platform. Most commercial companies won't develop for Linux because there aren't too many business opportunities there and most Linux supergeeks will never develop anything for Windows because "it's the symbol of evil software capitalism". Those of us who use both systems suffer the consequences.
Guys - I think many genuine "whole disk" encryption products will be cross-platform (at the client side at least - they may need a management console on a specific O/S if they are corporate level products). This is because whether implemented in software or hardware they operate at a level below the operating system.
SfaeBoot does indeed work with Linux - as mentioned I have my dual boot laptop running happily on a safeboot encrypted drive.
You are correct it is a more corporate centric product, we currently have it installed on several hundred laptops with a wide variety of hardware specs.
Another company also offers a similar product - www.pointsec.com - this is also compatible with both Windows and Linux, but again may be too corporate for your needs.
Looking at the pgp whole disk encryption it looks like they may not even support multi boot windows only systems (or they certainly didn't a while ago)...
I think that is where the difference between personal use and corporate products lies - the personal ones are installed from within the logged on O/S and hence tend to only work with that, the corporate once can be pushed out and run at a lower level.
If it is just a single machine (or low numbers of machines) then it may turn out to be more cost efficient for you to buy drives with hardware encryption built in. You could then just use Ghost or similar to copy the image of the current drive to save having to re-install anything.
SfaeBoot does indeed work with Linux - as mentioned I have my dual boot laptop running happily on a safeboot encrypted drive.
You are correct it is a more corporate centric product, we currently have it installed on several hundred laptops with a wide variety of hardware specs.
Another company also offers a similar product - www.pointsec.com - this is also compatible with both Windows and Linux, but again may be too corporate for your needs.
Looking at the pgp whole disk encryption it looks like they may not even support multi boot windows only systems (or they certainly didn't a while ago)...
I think that is where the difference between personal use and corporate products lies - the personal ones are installed from within the logged on O/S and hence tend to only work with that, the corporate once can be pushed out and run at a lower level.
If it is just a single machine (or low numbers of machines) then it may turn out to be more cost efficient for you to buy drives with hardware encryption built in. You could then just use Ghost or similar to copy the image of the current drive to save having to re-install anything.
ASKER
kevinf40 - Thank you for your detailed response. One correction is that unfortunately you cannot write a software encryption package that works "below the OS" (meaning that it is OS independent), because modern operating systems communicate directly with the hardware, bypassing all BIOS routines and therefore you cannot intercept the disk access. The only way to achieve this is to write a driver for each OS that is going to run on your computer.
With Linux this means a big problem for developers (at least of commercial products) since Linux drivers (aka kernel modules) must be compiled for your running kernel. This means that you can only support a very limited set of distributions (and versions!) - if you want to support others you have to provide the source code, which most commercial developers are unwilling to.
Anyway, you said Safeboot and Pointsec may work. Do you know if they work for many distributions? My Linux distribution is Debian 3.1 ("Sarge"). Can you please tell me whether it's supported by one of them?
Thanks.
With Linux this means a big problem for developers (at least of commercial products) since Linux drivers (aka kernel modules) must be compiled for your running kernel. This means that you can only support a very limited set of distributions (and versions!) - if you want to support others you have to provide the source code, which most commercial developers are unwilling to.
Anyway, you said Safeboot and Pointsec may work. Do you know if they work for many distributions? My Linux distribution is Debian 3.1 ("Sarge"). Can you please tell me whether it's supported by one of them?
Thanks.
Hi,
This will not be a easy task find a software like that, at the same
This will not be a easy task find a software like that, at the same
Hi,
This will not be a easy task find a software like that, at the same you want a cross plataform encryption HD software you yet want it work at low level.
About the Linux Kernel module, probabilitty you can contact the company that make the product and they probabilitty can compile a version of the LKM (loadable Kernel Module) to you Linux Distribution Kernel.
Even if they doesn't create, you can check versions of LKM they have pre-build, and just install a kernel-source in the same version and run the module via "insmod -f lkm-name", this will generate warnings, but probabilitty will work fine, since the symbol resolution are at different address, but the kernel internal data, functions and sub-functions are the same. ;)
About your problem, I make two suggestions:
1 - Find a program for Linux that is GPL that have all features that you need, and then compile it with cygwin (http://www.cygwin.com/), so you will be able to use it under Windows too.
2 - Look for a Windows application that have all features you have and is constructed in .NET, so you can use Mono (http://www.mono-project.com/Main_Page) and run it on Linux.
Hope this help,
Cheers
This will not be a easy task find a software like that, at the same you want a cross plataform encryption HD software you yet want it work at low level.
About the Linux Kernel module, probabilitty you can contact the company that make the product and they probabilitty can compile a version of the LKM (loadable Kernel Module) to you Linux Distribution Kernel.
Even if they doesn't create, you can check versions of LKM they have pre-build, and just install a kernel-source in the same version and run the module via "insmod -f lkm-name", this will generate warnings, but probabilitty will work fine, since the symbol resolution are at different address, but the kernel internal data, functions and sub-functions are the same. ;)
About your problem, I make two suggestions:
1 - Find a program for Linux that is GPL that have all features that you need, and then compile it with cygwin (http://www.cygwin.com/), so you will be able to use it under Windows too.
2 - Look for a Windows application that have all features you have and is constructed in .NET, so you can use Mono (http://www.mono-project.com/Main_Page) and run it on Linux.
Hope this help,
Cheers
ASKER
zgrp - There's no way you suggestion will work because such software requires a kernel module / driver and neither mono nor cygwin run in kernel space.
Hi Chatable,
As I spoken a full featured that encrypt even boot section will be very hard to find (at last I don't know), my suggestion is to make the software working just at user-level, to your files and not OS files.
Also note that maybe some Windows aplications like that can use user-level hooks like Detours from Microsoft, wich probability can be emulated into Cygwin.
If you really want a low level encryption software you will not have much options, I belive that:
- I don't know if it's a option for you, but you can try a Windows Open-Source Replacement like RactOS (http://www.reactos.org/xhtml/en/index.html).
- Why not use a Virtual Machine, so you can have your files encrypted into low level in the host system, and keep the hosted OS encrypted even. :)
For Windows and Linxu you can choose VMware (http://www.vmware.com/).
For Windows VirtualPC (http://www.microsoft.com/windowsxp/virtualpc/).
For Linux Bochs (http://bochs.sourceforge.net/).
Hope this helps, because out of it I don't have more ideas... hehehe
Cheers
As I spoken a full featured that encrypt even boot section will be very hard to find (at last I don't know), my suggestion is to make the software working just at user-level, to your files and not OS files.
Also note that maybe some Windows aplications like that can use user-level hooks like Detours from Microsoft, wich probability can be emulated into Cygwin.
If you really want a low level encryption software you will not have much options, I belive that:
- I don't know if it's a option for you, but you can try a Windows Open-Source Replacement like RactOS (http://www.reactos.org/xhtml/en/index.html).
- Why not use a Virtual Machine, so you can have your files encrypted into low level in the host system, and keep the hosted OS encrypted even. :)
For Windows and Linxu you can choose VMware (http://www.vmware.com/).
For Windows VirtualPC (http://www.microsoft.com/windowsxp/virtualpc/).
For Linux Bochs (http://bochs.sourceforge.net/).
Hope this helps, because out of it I don't have more ideas... hehehe
Cheers
ASKER
No, it's not possible as data may be written to the disk from kernel space and then half the disk will be encrypted and half won't, and that *will* lead to disasters.
I already thought about vmware-like solutions and decided to reject them (already wrote about this) because I want direct access to the computer's hardware and because my computer is kinda slow and I don't want to slow it down even more.
I already thought about vmware-like solutions and decided to reject them (already wrote about this) because I want direct access to the computer's hardware and because my computer is kinda slow and I don't want to slow it down even more.
Hi Chatable
to follow up your questions regarding O/S compatibility, this article may help confirms the wide range of platforms it runs on, along with some pricing info:
http://www.techworld.com/opsys/reviews/index.cfm?reviewid=334
This is a good comparison of safeboot and some similar products:
http://www.infoworld.com/article/05/08/29/35TCencrypt_1.html
I was probably not clear - when I said works below the O/S what I meant was that although a client is initially installed, once the drive is encrypted you are required to authenticate before the O/S boot process begins - so you can then install other O/S's without the need for further client installs - e.g. if you had a machine with win XP on it and installed the windows client, encrypt the whole drive, you would then be able to dual boot with another O/S by turning the machine on, inputting your safeboot username and password to allow the drive to be read, then installing whatever you wanted.
As previously stated this and other similar products may be slightly too corporate / enterprise for your needs, but they certainly provide the functionality you are after.
cheers
Kevin
to follow up your questions regarding O/S compatibility, this article may help confirms the wide range of platforms it runs on, along with some pricing info:
http://www.techworld.com/opsys/reviews/index.cfm?reviewid=334
This is a good comparison of safeboot and some similar products:
http://www.infoworld.com/article/05/08/29/35TCencrypt_1.html
I was probably not clear - when I said works below the O/S what I meant was that although a client is initially installed, once the drive is encrypted you are required to authenticate before the O/S boot process begins - so you can then install other O/S's without the need for further client installs - e.g. if you had a machine with win XP on it and installed the windows client, encrypt the whole drive, you would then be able to dual boot with another O/S by turning the machine on, inputting your safeboot username and password to allow the drive to be read, then installing whatever you wanted.
As previously stated this and other similar products may be slightly too corporate / enterprise for your needs, but they certainly provide the functionality you are after.
cheers
Kevin
ASKER
Kevin, that would be true only for previous-generations OSes, like DOS, which had to go through the BIOS to access the storage devices.
Modern OSes, including Windows and Linux, access the disk directly so the data cannot be intercepted and encrypted on its way to the disk by anything but a driver/module loaded into the OS.
Modern OSes, including Windows and Linux, access the disk directly so the data cannot be intercepted and encrypted on its way to the disk by anything but a driver/module loaded into the OS.
chatable, it seems that the only thing to solve your problem is a hardware-encrypted hard drive... when you want sub-OS encryption & that kind of multi-platform support, it's hard to find the perfect software solution... anyhow, encrypted HDs aren't THAT expensive, and they're the most headache-free solution for non-corporate implementations (come to think of it, even corporate ones)...
so, when you're looking for such a high level of encryption, the question is, what spy agency do you work for ;-)
so, when you're looking for such a high level of encryption, the question is, what spy agency do you work for ;-)
ASKER
Unfortunately I'm not a system administrator of a huge corporation (neither a spy agency ;-). I'm just looking for a way to protect the data on my own *single* laptop (which happens to multiboot Windows and Linux) in case it gets stolen, and I don't trust all these encrypted container solutions.
Personally I don't think these are such high demands but apparently I'm wrong.
Personally I don't think these are such high demands but apparently I'm wrong.
actually, your demands are not high, they're very reasonable... it's just that with modern OSes and the vast difference architechtures, it's very difficult to create a software solution that is truely cross-platform without requiring OS-specific drivers & modules to be written...
actually, come to think of it, this topic leads me to ask the following question: is it possible to encrypt an entire HD using a common encryption algorithm (like 3DES, for example) from a program written specifically for Windows, then to decrypt the same HD using another program that can decrypt that algorithm from within Linux... I'm sure this would work it the HD being encrypted didn't contain the OSes, bout would this work on the HD with the OSes... Obviously, we'd need to actually boot the respective OSes from the encrypted disk, therefore requiring boot-level authentication... For example, would TrueCrypt decrypt a HD encrypted with a Windows program that encryptes with BlowFish, for example... Interesting...
actually, come to think of it, this topic leads me to ask the following question: is it possible to encrypt an entire HD using a common encryption algorithm (like 3DES, for example) from a program written specifically for Windows, then to decrypt the same HD using another program that can decrypt that algorithm from within Linux... I'm sure this would work it the HD being encrypted didn't contain the OSes, bout would this work on the HD with the OSes... Obviously, we'd need to actually boot the respective OSes from the encrypted disk, therefore requiring boot-level authentication... For example, would TrueCrypt decrypt a HD encrypted with a Windows program that encryptes with BlowFish, for example... Interesting...
Hi Chatable
I think the issue may just be that there isn't a huge demand for this functionality - I imagine many people are happy to just encrypt their Data - e.g. dual boot but have a separate Data partition that may be encrypted, or use a USB stick for storing data that may either be hardware or software encrypted.
Certainly even in the corporate arena you'll have seen from the second link on my previous post that not all of the reviewed products supported multiple O/S's...
This may be an area where hardware encrypted hard drives will become more prevalent - I know that vendors are increasingly producing centralised management solutions for these drives to make them more appropriate for the corporate environment.
As to your issue I would have to agree with HyeProfile that the easiest solution for a single user that requires complete drive encryption while multi-booting different O/S's is likely to be a hardware encrypted drive.
If the cost / hassle of replacing the drive is too much, the other thing you could do is re-consider exactly what it is you are trying to achieve and maybe consider using an encrypted partition, or if your data volumes are not huge an encrypted removable drive of some sort.
A discussion about O/S’s writing to disk, and how it is possible to do things below this level (think VMWare and other virtualisation technologies as a starting point – these in many ways fool the O/S regarding the details of the hardware they are running on) is somewhat off topic to this query so should be left for another time.
I hope you manage to come to an acceptable solution / compromise that satisfies your requirements – it would be interesting to hear on the solution you finally settle on.
Cheers
Kevin
I think the issue may just be that there isn't a huge demand for this functionality - I imagine many people are happy to just encrypt their Data - e.g. dual boot but have a separate Data partition that may be encrypted, or use a USB stick for storing data that may either be hardware or software encrypted.
Certainly even in the corporate arena you'll have seen from the second link on my previous post that not all of the reviewed products supported multiple O/S's...
This may be an area where hardware encrypted hard drives will become more prevalent - I know that vendors are increasingly producing centralised management solutions for these drives to make them more appropriate for the corporate environment.
As to your issue I would have to agree with HyeProfile that the easiest solution for a single user that requires complete drive encryption while multi-booting different O/S's is likely to be a hardware encrypted drive.
If the cost / hassle of replacing the drive is too much, the other thing you could do is re-consider exactly what it is you are trying to achieve and maybe consider using an encrypted partition, or if your data volumes are not huge an encrypted removable drive of some sort.
A discussion about O/S’s writing to disk, and how it is possible to do things below this level (think VMWare and other virtualisation technologies as a starting point – these in many ways fool the O/S regarding the details of the hardware they are running on) is somewhat off topic to this query so should be left for another time.
I hope you manage to come to an acceptable solution / compromise that satisfies your requirements – it would be interesting to hear on the solution you finally settle on.
Cheers
Kevin
ASKER
Well, no offense but I believe that those who are 'happy just to encrypt theif Data' are stupid. With modern OS's you can't really know where your data is. For instance, word sometimes creates temporary copies of your data in your temp directory and Windows itself saves tons of your data to the paging file. As long as any data (even just the OS) is kept unencrypted then you are not totally secure.
Hi Chatable
No offence taken, I was just offering some thoughts / alternative solutions.
As mentioned by myself and others it does look like a hardware encrypted drive will be the easiest solution for your needs - But you didn't seem to like this idea hence looking for other solutions that may have met your needs....
cheers
Kevin
No offence taken, I was just offering some thoughts / alternative solutions.
As mentioned by myself and others it does look like a hardware encrypted drive will be the easiest solution for your needs - But you didn't seem to like this idea hence looking for other solutions that may have met your needs....
cheers
Kevin
ASKER
kevinf40 - I couldn't find a single on-line store where such a drive can be purchased.
Chatable try searching for seagate fde in your search engine of choice - their momentus 5400rpm drives support full disk encryption.
places like Dabs sell them, but don't seem to mention the encryption on their site so maybe give them an email / call to confirm. It might be possible to order direct from seagate.
places like Dabs sell them, but don't seem to mention the encryption on their site so maybe give them an email / call to confirm. It might be possible to order direct from seagate.
ASKER
Tolomir,
I was still hoping that someone would come with a solution but it doesn't seem that a suitable solution exists.
The question may be deleted.
I was still hoping that someone would come with a solution but it doesn't seem that a suitable solution exists.
The question may be deleted.
You could use this solution:
http://www.securstar.com/products_drivecryptpp.php for windows
And use the free vmware server to run a virtual linux within windows itself.
http://www.vmware.com/products/free_virtualization.html
This way I'm running Ubuntu Linux 6.06 within windows xp.
Since DCPP en/decryptes the data on the fly, even the "unprotected" linux is safe.
Tolomir
http://www.securstar.com/products_drivecryptpp.php for windows
And use the free vmware server to run a virtual linux within windows itself.
http://www.vmware.com/products/free_virtualization.html
This way I'm running Ubuntu Linux 6.06 within windows xp.
Since DCPP en/decryptes the data on the fly, even the "unprotected" linux is safe.
Tolomir
DriveCrypt Plus Pack
Encrypts the whole operating system
- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
Encrypts the whole operating system
- Full Disk Encryption (Encrypts parts or 100% of your HardDisk including the operating System)
- Pre-Boot authentication (BEFORE the machines boots, a password is requested to decrypt the disk and start your machine)
- Allows secure hiding of an entire operating system inside the free space of another operating system.
- Strong 256bit AES encryption
- USB-Token authentication at pre-boot level
ASKER
Hi,
I've looked into all solutions available on the market (including those you just offered). None of them suited my needs.
Running vmware is right out of the question for reasons I've already mentioned.
At this point I believe there is no product that suits me in existence.
Still, thank you.
I've looked into all solutions available on the market (including those you just offered). None of them suited my needs.
Running vmware is right out of the question for reasons I've already mentioned.
At this point I believe there is no product that suits me in existence.
Still, thank you.
Would you like to keep this information, or should I recommend to delete this question, in both cases points refund, of cause.
Tolomir
Tolomir
ASKER
Hi,
You can keep the information, just in case someone else will ever be interested (a disappointing answer is still better than no answer at all).
About the refund - I have premium services so it doesn't really matter.
You can keep the information, just in case someone else will ever be interested (a disappointing answer is still better than no answer at all).
About the refund - I have premium services so it doesn't really matter.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A level of encryption that you need, like encrypting the boot sector, initialization internal OS files, drivers, etc and even compatible with multi plataform will be very hard (if not impossible) to find.
My suggestion for you go to use BestCrypt from Jetico:
http://www.jetico.com/download.htm
Check this basic tutorial that explain how to it work to encrypt file-systems and have "clients" that allow mount and manage the encrypted file-system both in Windows and Linux:
http://www.linuxjournal.com/article/5938
Hope this help,
Cheers