|
There are systems (like MobileArmor/DataArmor, which I used previously) that encrypt under the OS. My company uses one by McAffee that is smart enough to log me into Win7 without a 2 password requirement, though Win7 handles login from locked system.
I'd google FIPS 140-2 and linux.
Here is an open source system that rides under linux[^]
I suspect there are others. FIPS 140-2 is one of the NIST certifications for encryption sw. It was the standard a DoD project I worked on used. Good luck.
Opacity, the new Transparency.
|
|
|
|
|
Lee, Gun-Woon,
Just to pitch in my two cents... You may not be able to achieve what you want with a solution other than TrueCrypt. The only reason I say that is because you made it very clear that you want...
Lee, Gun-Woon wrote: "...every (or almost every) bit persisted in storage is encrypted and unreadable to unauthorized users." However, you very likely already know that there are elements on the disk that cannot be encrypted (ie: boot partition). There is one additional element that cannot be encrypted using any FDE software that boots from the same disk (or any that I am aware of) - the partition definitions (ie: start and stop LBAs).
The reason TrueCrypt is excellent in a situation like this is because it can create an altogether hidden operating system[^]. Their methods are rather tactful and if your situation requires security that can thwart others' attempts at getting to your data *even after you give them the pre-boot authentication password*, than this is what you want.
Now, about your BitLocker setup. The reason BitLocker isn't requesting a password for it's pre-boot authentication is because your motherboard has something called a Trusted Platform Module (TPM) installed on it. You probably already know that since you likely had to activate the thing before the encryption process could start. Anyway, the TPM holds the en/decryption keys to your encrypted partition. When the system boots, the system partition (Windows' 100MB boot partition) authenticates with the TPM, exchanges keys, and boots the encrypted partition by decrypting it on-the-fly. When the TPM is locked or the disk configuration changed, or the disk is booted on a different system, or any number of things - this will cause Windows to start the BitLocker bootloader in a recovery mode. You will be prompted for a password if and when this occurs.
I'm also new to Linux myself (I've been aspiring to the genius required to understand Unix's simplicity[<ahref="http: en.wikipedia.org="" wiki="" unix_philosophy"="" target="_blank" title="New Window">^] for some time now...). Anyway, I think you'll be hard pressed to find an Open Source Software (OSS) implementation of a FDE package that supports hardware en/decryption components. The only one I've seen that can use a TPM is TpmCrypt[^] (which, ironically, seems to have an invalid certificate for their website!).
Moving along to your specific desired setup - the partitioning scheme you have illustrated is possible with TrueCrypt. Now, there is the normal way of doing things - then there is tuning the system for every last drop of performance possible. Here's a quick exit - if you'll be installing the entire system to the SSD, don't bother with tuning the partitions. It won't gain you anything.
If you'll be using any portion of the ATA/SATA disks, then you'd do well to put the swap partition on the SSD. This is important with any non-hardware en/decryption solution because all of the data must be en/decrypted either in RAM or in swap space (even if the encryption software pushes all of the normal memory functions to swap and reserves the physical RAM for itself, you'll still want to make sure that your swap disk is fast enough to keep up). Anyway, I'll let you figure out the rest of the partitioning.
Let me know what you end up doing, I'm interested to find out what route you take!! I just recently made the switch to Linux on my personal computer and am currently trying to get my way through some of the rough spots associated with the switch. Three main areas that are giving me nightmares are GRUB, RAID, and FDE.
|
|
|
|
|
I actually have TrueCrypt working on my other Ubuntu installations, but they just protect the files and not the entire system[^]. It's one reason TrueCrypt isn't an option.
For my Windows BitLocker setup, I built the entire system myself. I couldn't find any motherboard with a TPM, so I had to make a few group policy changes as an administrator to force BitLocker to work without it. Using the command line tools for managing BitLocker, I made it deposit the boot key in the 100MiB system partition; since the system partition resides on a removable medium there's nothing an attacker can tamper with on the hard drives but pure "random" bits.
As for the setup I'm trying to achieve, Linux's dm-crypt is pretty much the only free and flexible solution that I know of that allows for it. In fact, I've gotten as far as make it work like in the diagram[^] (2-factor authentication and all) except it asks for the password 4 times (once for each partition). It's quite annoying and an issue that I'm willing to investigate how to eliminate in an otherwise perfect setup.
My GUID: ca2262a7-0026-4830-a0b3-fe5d66c4eb1d
Now I can Google this value and find all my Code Project posts!
|
|
|
|
|
|
Why must you "do away" with "My Documents?"
Why don't you simply not store anything there?
The difficult we do right away...
...the impossible takes slightly longer.
|
|
|
|
|
I'd use "Map Network Drive" rather than UNC; and set sharing options.
|
|
|
|
|
As I recall in XP you can right click on 'My documents', go to properties and move where it lives.
I'm not sure if that's what you need but that might help you.
I don't know if the others have the same method.
Why are you running any windows before xp? And why Vista at all?
I'm curious, I can imagine a few reasons but they have to do with specialized hardware/software.
_____________________________
Give a man a mug, he drinks for a day. Teach a man to mug...
The difference between an ostrich and the average voter is where they stick their heads.
|
|
|
|
|
Hi, Thanks
A Very Helpfull Hint. I will work on that to start cleaning up my own shop.
smcnulty2000 wrote: Why are you running any windows before xp? And why Vista at all? I'm
curious, I can imagine a few reasons but they have to do with specialized
hardware/software.
Well, I developed a package to run Laundrettes and Drycleaners. The Latest Upgrade will run on Win98. It runs more reliable on Win XP. However, that's no longer for sale. We offer Win XP Computers for sale, but they are recycled. The day of having those available will run to an end Some Day.
In the near future, we will have to start recycling Vista Computers.
There are only a few of our customers that have more than One terminal. The main support concern has actually nothing to do with us, but, they are still our customers, and we try to help.
Everybody on Every Terminal is signed on as Administrator. (Do not lecture me on how bad an Idea that is, I've written several GigaByte of messages on this forum about why this is required, and Very Safe in the Environment used.)
It works all very fine for our own software, but, when a User saves say a Letter from MSWord under My Documents\Letters\Company, it is Everybody's guess where it is being Stored.
The bottom line is, we need a Single 'My Documents' Folder, which always points to a Single Folder on One Single Computer.
Regards,
Bram van Kampen
|
|
|
|
|
I believe they call that a network share...
As someone stated above, map a drive on each PC...you can edit the default location of the My Documents in Regedit as well.
Something worth reading, albeit it's invincible!
|
|
|
|
|
Not sure if this is the correct forum but didn't know where else to put it.
I have a few (actually a lot) of clients still on XP SP3 using various versions of Internet Explorer. They download files from a particular Web site where the files have non-standard file extensions like .2345 or .522AB. On a couple of systems the Save Type As defaults to Text and then appends a .TXT extension to the file. I need the files to have the original extensions.
I've tried adding the extensions to Registered File Types and I've looked everywhere for a default download file type, but can't find anything. Also searched the Web (honest) but am stumped and it's driving me crazy.
It’s not because things are difficult that we do not dare, it’s because we do not dare that things are difficult. ~Seneca
|
|
|
|
|
[Probably lives in web dev forum, but I'll answer here.]
If you have control/influence over the server, check and adjust the Content-type and Content-Disposition HTML meta headers. If the browser they use has a single brain cell left, you should be able to tell it (a) that the file is plain text and (b) [edit] where (i.e. the filename) [/edit] to save it by default.
hth
Peter
[edit] clarified use of disposition as marked. [/edit]
Software rusts. Simon Stephenson, ca 1994.
modified 15-Dec-11 19:06pm.
|
|
|
|
|
Thanks for the reponse but this isn't a programming question. What I can't figure out is how IE should be configured so that there is no default file type when downloading files for extensions it doesn't recognize.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
|
AnnieMacD,
It sounds to me as if the Systems Administrator may have enabled MIME Sniffing Safety which essentially causes Internet Explorer to inspect the first N-Bytes of the file and attempt to automatically determine the MIME type and disregard the file extension. This is generally desirable on a high-security network... where EvilHackerX wants you to download EvilPayload.txt but it is actually an executable... the MIME Sniffing Safety feature would read the first few bytes and see that it is actually an executable and correctly rename it to EvilPayload.txt.exe
Check those workstations by going into the group policy editor (gpedit.exe) and navigate to:
\\Administrative Templates\Windows Components\Internet Explorer\Security Features\MIME Sniffing Safety Feature
Check to see if disabling this feature fixes the issue you are describing.
Best Wishes,
-David Delaune
|
|
|
|
|
Thanks, I think this is what I was looking for. I'll try it out at the beginning of the week - hopefully that will do it.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
AnnieMacD wrote: Thanks, I think this is what I was looking for.
Well let me know how it turns out. Keep in mind that even if the domain/workgroup policy is 'Not Configured' that the user may have enabled this feature in the browser itself. You can view this by opening Internet Explorer 'Internet Options' and navigating to the 'Security' tab and pressing the 'Custom Level' button... scroll through the settings until you find 'Enable MIME Sniffing'. It it possible that the users have enabled it here.
You could force the policy of 'Disabled' upon your subordinates through the group policy editor.
Btw... I am serious about letting me know if this was the cause of the problem. I am somewhat making an educated guess at what causes the issue you describe.
Best Wishes,
-David Delaune
|
|
|
|
|
David, I really appreciate your help/advice. I can't check my clients' machine until Monday but I still have one computer here with XP SP3 and IE7. It would appear that the option in IE7 is "Open files based on content, not file extension". I have mine set to 'enabled' and I don't have the problem. But I will set theirs to 'disable'.
BTW I assume you are working on Windows 7. Under XP (at least on my local machine), the Group Policy Editor does not have an Internet Explorer option under \\Administrative Templates\Windows Components.
Even if this doesn't work you have helped me a lot in that I wasn't aware of the MIME Sniffing Safety feature. Funny thing is my app does a similar thing with these crazy-named files that the users download - it opens them up and then acts on them depending on the first few characters. Trouble is, I have no interest in .TXT files!
I will most definitely let you know how it gets resolved.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
AnnieMacD wrote: It would appear that the option in IE7 is "Open files based on content, not file extension".
I just checked and you are correct... on Windows XP this IE8 security feature is called 'Open Files based on content, not file extension'.
AnnieMacD wrote: BTW I assume you are working on Windows 7.
Yep, your psychic abilities are working very well.
AnnieMacD wrote: Under XP (at least on my local machine), the Group Policy Editor does not have an Internet Explorer option under \\Administrative Templates\Windows Components.
Interesting... all 13 XP-Sp3 workstations here in my lab have \\Administrative Templates\Windows Components\Internet Explorer in the group policy editor. I guess the IE8 and IE9 installers adds this. I would suggest that you install:
Administrative Templates for Internet Explorer 7 for Windows[^]
I highly recommend that you upgrade all workstations under your control to IE8 or IE9.
Best Wishes,
-David Delaune
|
|
|
|
|
Thanks again, David, for your help. The Administrative Templates are for XP SP2 but I downloaded them anyway but made no difference - still not there.
I'm afraid I'm in the unfortunate situation of not having much influence on what my clients have on their machines. It took me a long time to convince the non-Win7 ones to upgrade to SP3 of XP - I'm developing in .NET 4 and the Client will not install on SP2. I only keep XP and IE7 for support purposes but can't have every combination!
Monday I'll change the "Open files based on content, not file extension" option and that may fix it, and I'll let you know if it works.
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
Dave, just a quick update.
Randor wrote: 'Open Files based on content, not file extension'.
This didn't appear to do anything, so, as a workaround, I added the extensions I knew about to the Registered File Types list. When they were downloading files, the default file type still came up as 'Text File' but it did not add the .TXT extension. This is not a totally satisfactory solution for a number of reasons not least of which I don't yet know all the extensions, so I'm getting calls to a) add the extension to the list and, b) remove the .TXT. However, I can do it programatically in my next update but that too is essentially burying my head in the sand!
What I don't understand is what determines whether there will be a problem or not. Only a handful of XP clients have the issue and I can't yet see anything that makes them different from the majority.
BTW I have no influence whatsoever as to what browser they are using
It is an absolute certainty that there are no certainties. ~ Christopher Hitchens 1949-2011
|
|
|
|
|
|
When I built this beast in May, it was a screaming machine - Intel i7 CPU, 12 GB RAM, 1.5 TB SATA HDD. Within the past month, though, it's become sluggish and unresponsive. Both AdAware and MSE report a clean system - no nasty beasties lurking and stealing CPU cycles. Task Manager displays no active apps, less than 2% CPU activity for any process, 0% network capacity used. Performance monitoring reports that one CPU core is about 60% occupied, while the other 3 are idle, and no more than 20% of RAM is in use. Defrag reports 0% fragmentation on the HDD, not surprising since I have it set to defrag once a week. Ordinarily, with information like this, I'd declare the machine healthy, but the fact remains that it's doggy poo. Simply loading Solitaire, which used to start up in under one second, now takes 12 to 15 seconds to load. Navigating the web used to be an instantaneous process, but it now takes half a minute or so just to see a new URL. Once there, navigating the site is still extremely fast, but switching to a new domain again takes a long time. I purchased Registry Booster from Uniblue and ran that; it claimed to find 309 registry errors and fixed them. After rebooting the system it actually did run like the wind again for about two days, then it was back to crawling.
I've used up all the tools in my toolbox, and I'm out of ideas. Any suggestions?
Will Rogers never met me.
|
|
|
|
|
|
Thank you, Richard - I'll try these suggestions out, and if they help, I'll publish them, I can't be the only one experiencing this...
Will Rogers never met me.
|
|
|
|
|
Roger Wright wrote: I've used up all the tools in my toolbox, and I'm out of ideas. Any suggestions?
Roger, are you running an anti-virus or other security tools? Many of them hook hundreds of kernelmode/usermode functions to 'double check' absolutely everything... opening files... memory access... and can cause a fast computer to become slow or mediocre.
You said that you have a 1.5TB SATA drive. Congratulations, however... it is always better to put the swap file on a drive other than the drive containing the operating system. With 12 GB RAM your swap file is going to be enormous... and despite what you might think... even with 12GB RAM the swap file will still be utilized.
I cannot think of much else... other than using a tool such as Trend Micro HijackThis[^] to check if you have too many browser helper objects. Another useful tool is Microsoft Autoruns[^] by the infamous Mark Russinovich and Bryce Cogswell. Autoruns will tell you absolutely everything running on your computer.
Best Wishes,
-David Delaune
|
|
|
|
|