[–] VimTsar 0 points 3 points 3 points (+3|-0) ago
On Linux you can encrypt everything except /boot partition, which contains kernel and typically bootloader files. Good news is that you can move this partition along with bootloader to flash/sdcard and carry it with you to prevent bootkit attacks.
Partitions are still having LUKS(linux encrypted) headers, which tells what kind of OS and type of encryption is used. LUKS supports storing header externally (for example on afforementioned external storage) but it's not supported by lot of tools and system apllications (for example systemD didn't support external header, not sure about now) and might complicate recovery in case of problems.
Also on OpenBSD FDE is supported only with bootloader needing to readable. Proprietary OSes open too much potential holes/backdoors, so encryption against serious adversary is futile and against non-serious one encryption of user account should be enough.
Further detail for example: https://wiki.archlinux.org/index.php/Dm-crypt/Encrypting_an_entire_system
[–] zeitsieben ago
At my work, directors use Symantec Full Disk Encryption. The OS itself is encrypted, but not the bootloader so, theoretically, you can at least read what's going on under the table (I have no idea how one would do that). There's a master key in the administration system, so if someone knows it, they have the keys to the kingdom and can modify every single computer that uses it that's inserted in the domain.
The laptops run VERY slowly; 5400RPM hard drives are virtually unusable if you want to do anything (I'm talking about 7+ minutes boot time). Trust me, you need an SSD to run that. Also, they're prone to bootloader corruption, and if that happens, we decrypt it with the master key and a software called BartPE. After decrypting, the OS always corrupted itself somehow and I don't know if that's intended (well, must be), so you have to use that program to copy whatever data you have in the hard drive to a external storage. It's a necessary evil to us.
[–] zeitsieben ago (edited ago)
Well, I wouldn't say that. Their antivirus provides us with a centralized administration console which the security guys can put all kinds of rules. I'm pretty sure there are better solutions out there, or ones that do the same thing/have more functions that cost less than it. In the corporate world, you essentially need to put the blame on someone if things go awry and as far as I know, their support was top notch and the new vulnerabilities that appear on our networks are dealt swiftly due to the policies updates.
[–] Kalectrix 0 points 15 points 15 points (+15|-0) ago (edited ago)
Ha-ha yes. Linux supports this with ease. You don't really notice it, you just have to type in your passphrase at boot. You can also put nukes on it aswell, so if someone tries brute forcing it the hard drive is as good as random gibberish. The other option is to just encrypt your home folder, which is the usual option. I used to run a persistent encrypted Kali Linux on a USB 3, was pretty good for a portable secure OS. Edit: correction
[–] NeverToday 0 points 1 point 1 point (+1|-0) ago
I do the whole disk thing and it's nice to know that if my laptop ever gets stolen, I really don't care that much. Go buy a new one, install my backup and never worry that my data will get pulled off the stolen machine.
I set it up via the Debian installer, if anyone's interested.
[–] jumpingmac 0 points 7 points 7 points (+7|-0) ago
It's important to note that whole disk encryption, while a strong mechanism for protecting your data against physical theft, is ineffective at protecting data stolen from you electronically.
[–] just-my-2c ago
Even then, you better hope it was turned off when it was stolen or used by an unauthorized person...
Alright as someone who actually uses whole disk encryption and has for years for HIPAA, here is my experience.
I've used TrueCrypt for a long long time, it's been vetted and found to be essentially unbreakable if you use a strong pass phrase. It will do exactly as you envision, it prompts you every time you boot and the disk itself will not work without that key. Next up we have, on newer machines BitLocker. We have, again, whole disk encryption and this time the key is actually kept for us. If the drive is removed it won't be mountable. You can read much more of how BitLocker works by googling it. Finally there is speed, ok there is a speed cost. However even on a very low spec laptop is was virtually unnoticeable. So in short, rock on your encryption.
As always please please please please make sure you keep your keys safe, both from people stealing them and just from loss. This encryption means your data is basically totally lost without that key. TrueCrypt will make you, or at least prompt you, to make a recovery disk. BitLocker will print you a copy of your key. Keep them safe.
[–] jammi ago (edited ago)
iOS devices (iPhone, iPad) does it automatically since iOS 8. OS X has had that feature standard for a very long time; just go to System Preferences ➔ Security & Privacy ➔ FileVault ➔ Turn On FileVault...
[–] e0steven ago
Note that older versions of FileVault (legacy now) only encrypt the user's volume, not the whole disk
[–] jammi 0 points 1 point 1 point (+1|-0) ago (edited ago)
That was like more than a decade ago, which is in OS X adoption time like someone mentioned some Windows 3.1 or 95 limitation in Windows context. But yeah, the first version of FileVault encrypted the home directory as an encrypted disk image volume.