[CentOS] Deciding when to do system encryption

Tue Oct 11 15:19:41 UTC 2011
m.roth at 5-cent.us <m.roth at 5-cent.us>

Ljubomir Ljubojevic wrote:
> Vreme: 10/11/2011 04:43 PM, Bade Iriabho piše:
>> Thanks guys, Paul you make very good points. Noted...
>>>> 1. You have a server in a secured server room on a rack (is there
>>>>   any need and advantage to having system encryption in this
>>>>   particular case)
>>> Only if there's requirements from above... or if you're going to be
>>> pulling drives as backups, say, and taking them out of there.
Oh, another requirement: PCI DSS (it's been two and a half years since I
worked for a co that does managed security and was also a root CA). Look
at <https://www.pcisecuritystandards.org/index.php>, and the docs. For any
credit card information, ALL DATA between two systems *must* be encrypted,
and positively, if you need to pull a drive to replace it, you're going to
have to sanitize it, since someone could take it apart and rebuild it, and
get data off it.

So, if credit card transactions might be on it - any kind of PII (personal
identifying information) or HIPAA (for those in the US, medical data) -
you need encryption.

Or if you don't want anyone seeing your pr0n collection.... <g>