<div dir="ltr"><div>Added layer of physical security for HIPAA compliance led to the wholesale adoption. Yes, remote access and data theft would occur to a decrypted filesystem once it's running. But much of my work often requires encrypted data at rest for many system and the performance hit is essentially trivial compared to the rest of the system, so it's easy to to keep that as a default. The HPC systems have absolutely all security disabled and are hidden behind firewalls on private LAN, etc.<br><br></div>It also indicates a level of unsure trust of the physical access to the systems. Never had an issue but don't want to be on the wrong end if something does happen.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 8, 2014 at 12:54 PM, Beddingfield, Allen <span dir="ltr"><<a href="mailto:allen@ua.edu" target="_blank">allen@ua.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'm curious about why you would encrypt filesystems on servers, if you have control of physical access? If the server is up and online, the drives would be decrypted, and the files would be accessible by any remote exploit. I'm sure I'm missing a good reason for it, but I haven't had enough caffeine to fully get the brain cranked up today :D<br>
--<br>
Allen Beddingfield<br>
Systems Engineer<br>
The University of Alabama<br>
<br>
________________________________________<br>
From: <a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a> [<a href="mailto:ale-bounces@ale.org">ale-bounces@ale.org</a>] on behalf of Jim Kinney [<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>]<br>
Sent: Monday, September 08, 2014 11:46 AM<br>
To: Atlanta Linux Enthusiasts<br>
Subject: Re: [ale] OT - SED drive compatibility<br>
<span class="im HOEnZb"><br>
Using LUKS software encryption on a system with 15k RPM drives will be a<br>
minimal hit on performance as long as there is adequate RAM and cores to do<br>
the decryption. A single core is enough and the RAM needs are actually<br>
small. A few blocks at a time are fed through for decrypt then passed to<br>
buffers for use.<br>
<br>
I use LUKS on EVERY public facing (and many internal only systems) server.<br>
The only big caveat is the need to have remote console so the password can<br>
be entered for key decryption after a reboot.<br>
<br>
<br>
</span><div class="HOEnZb"><div class="h5">_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div>
</div>