<html><head></head><body>NBDE is the tool for auto decrypt on your lan.<br><a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Network-Bound_Disk_Encryption.html">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Network-Bound_Disk_Encryption.html</a><br>If the drive leaves the network, it won't decrypt.<br><br><div class="gmail_quote">On April 23, 2019 11:06:12 PM EDT, "Bryan L. Gay via Ale" <ale@ale.org> wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div dir="ltr">I love LUKS. All my drives are LUKS encrypted. I enter my passphrase at boot, the first drive is decrypted, and it unlocks the keys for the rest of the drives that are then automagically decrypted and mounted.<div>Downside is that I can't remotely reboot my server, not that I'd want to.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 11, 2019 at 5:30 PM DJ-Pfulio via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Yet more reasons to use encrypted storage.<br>
<br>
Isn't there an enterprise solution for this using key servers to unlock the<br>
partitions at boot? Take the server/disks off the LAN and there aren't any key<br>
servers available.<br>
<br>
<br>
<br>
On 4/11/19 4:31 PM, Alex Carver via Ale wrote:<br>
> If someone really wants your data, holes don't matter. The rest of the<br>
> platter is still intact in that case and can have the data extracted.<br>
> <br>
> There's also no guarantee that Dban can write enough to be sure that the<br>
> magnetic domains are fully randomized deep in the platter. The longer<br>
> data sits statically on the disk the more opportunity for the surface<br>
> domain to imprint on deeper domains (this is actually a problem with<br>
> magnetic tape, magnetic data can print through from one layer of tape to<br>
> the next layer when it's wound on the spindle).<br>
> <br>
> A serious entity can perform a deep level scan of the platter and<br>
> retrieve the low level signal under the surface domains and see previous<br>
> data. The drive head typically isn't powerful enough to write that<br>
> deeply because it has to keep the tracks narrow.<br>
> <br>
> On 2019-04-11 12:13, Steve Litt via Ale wrote:<br>
>> On Wed, 10 Apr 2019 22:11:42 -0400<br>
>> Jim Kinney <<a href="mailto:jim.kinney@gmail.com" target="_blank">jim.kinney@gmail.com</a>> wrote:<br>
>><br>
>>> Dban advantage: it can be done across hundreds or thousands of drives<br>
>>> before larcenous third party "shredders" physically touch the drives.<br>
>><br>
>> That's a good point.<br>
>><br>
>> Doesn't dban take an hour or more? How many drives can I do with one<br>
>> computer? How long would it take to test whether each is really blank?<br>
>><br>
>> What might be nice with 1000 drives to do is dban followed by drilling<br>
>> 3 holes in each drive. I'd say each drive would take 1 minute for 3<br>
>> holes, so it's about 2 days for one employee to drill the holes. Or,<br>
>> perhaps, one employee could both dban and drill the holes, drilling the<br>
>> holes while the next batch is dbanning.<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>
</blockquote></div><br>-- <br>Sent from my Android device with K-9 Mail. All tyopes are thumb related and reflect authenticity.</body></html>