In the past, some of my clients have given me laptops with Full Disk Encryption (FDE) on them.
When you turned on the laptop, you got a command line screen asking for a password. If you entered the correct FDE password, then Windows would boot up (i.e. pre-boot authentication). I believe they used hardware FDE.
Very impressive solution to protecting data.
So, some questions…
1.) Can you achieve the same thing with something like TrueCrypt (which is open-source)?
2.) Is there a way to install FDE after there is an operating system installed n a hard-drive?
3.) If that is possible, is there a way to install FDE remotely?
I am very concerned about data security, and one thing that has been bothering me about web hosting is that I have no control over the server hardware, and specifically the hard-drive(s) with all of my customers data on them?!
What is to stop a web host tech from hot-swapping out a RAID hard-drive and taking all of my customers’ data?!
If there was a practical way that I could use Full Disk Encryption on my dedicated server’s hard-drives, then even if one drive did crash and was thron out, or was swapped to another system, or was nefariously swapped out in an attempt to steal data, the thief wouldn’t get far.
I haven’t seen this sort of use available in TrueCrypt (admittedly I use it for a basic purpose) however I would imagine not as FDE is pre-boot encryption before the Operating System loads, at the hardware level so it’s much more advanced. You can install FDE after an Operating System has been installed I think, however you can’t have FDE itself come up after the Operating System has booted as it’s main purpose is to stop the Operating System booting if you don’t have the correct security key.
I don’t think that you can install FDE remotely, maybe have a good search on some security forums as it may be possible but I don’t see how myself, especially if you’re trying to install it on your hosts systems, you would also need their permission etc.
If you’re extremely concerned about server hardware and data security then perhaps it’s not a bad idea to get your own hardware and host it yourself, not ideal but it’s the only way to assure it’s completely secure in that way. As for customers data, if it’s in a database and encrypted you’ve taken measures to secure the data then it should be ok.
Of course a server technician in your web host could do that, however if it’s a reputable web host, they will have CCTV and other security measures and legalities sorted, if it does happen the person responsible (the thief) would be prosecuted so I wouldn’t worry too much about this. As far as I can tell from FDE it’s quite simple to bypass anyway if you have the physical hardware and the know-how.
As long as you have taken the basic encryption methods, passwords etc and hosting any customer data in protected file systems or databases you will be fine except from an experienced person, you could also hire a security consultant to assess it if you are very worried.
Hope this helps, and sorry I can’t be of more help.
If the disk was swapped then it may not work without the correct decryption key or exact same motherboard and full disk encryption basically encrypts the whole disk including OS files. I doubt you would have the permission to do that on your Hosts system or if they had major hardware failure or change you might not be able to get your stuff back.
I’ll give you a quick answer. No. You cannot do what you are thinking you want to do. First you would have to tell the hosting company the password for the disk encryption so they can enter it when the server boots up. Of course, that means the hosting company will have to attach a screen and keyboard to the server and visit it every time it reboots to enter in this password. After all there is no network connection until the OS boots and the OS cannot boot until the FDE password is entered.
Yeah, co-location is starting to look more attractive every day.
As for customers data, if it’s in a database and encrypted you’ve taken measures to secure the data then it should be ok.
Good point, however, if someone walked off with my hard-drive, wouldn’t they have everything they need on the hard-drive to hack into the encrypted MySQL database?
Of course a server technician in your web host could do that, however if it’s a reputable web host, they will have CCTV and other security measures and legalities sorted, if it does happen the person responsible (the thief) would be prosecuted so I wouldn’t worry too much about this.
True, yet with all of the data breaches out there, I worry about this.
As far as I can tell from FDE it’s quite simple to bypass anyway if you have the physical hardware and the know-how.
If you have hard-ware FDE, I don’t think it is.
With software FDE, I believe it is easier.
Hope this helps, and sorry I can’t be of more help.
Okay, so maybe it isn’t practical to use FDE with a web host - unless you don’t mind them having the password.
But what about using something like TrueCrypt to create an encrypted “logic drive” or “space” on the dedicated server?
You could encrypt the portion that holds all of your HTML, PHP, MySQL.
That way the wen host admins could re-boot as needed, but if one of the hard-drives was removed, then all of the “sensitive data” wuld be encrypted and pretty secure, right?
(Maybe not as good as true hardware FDE, but still much more secure than unencrypted data sitting around…)
First, you should have lots of legal protections from your host snooping at your client’s files. You should be able to sue the pants off them, nevermind the fact that a widely publicized snooping incident will put them out of business – who is going to trust a host who steals from their clients?
Insofar as how to get there, what you probably want to look at is application-layer encryption. Some database servers, for example, can encrypt entire databases or even specific fields in specific tables.
Do you regulate what TV shows they watch, or what temperature they keep it in their apartments?
Encrypting a portion - or even all - of the hard-drive on a Dedicated Server Hosting Plan is hardly a “capital improvement” and should be well within the realm of things you could do. After all, you can install any software you want from MS Access to Oracle…
Is it a great analogy, no. But neither is the TV programs. You are making fundamental changes to the system that could interfere with a host’s ability to manage things, to esure you are not doing anything illegal on their watch and perhaps some other downsides.
If your stuff is important enough that it needs to be fully encrypted and protected, you probably are doing something that requires a dedicated datacenter anyhow.
