For many system administrators, Linux is arguably the most secure operating system out there. But even if this were true, there’s going to be instances when you’ll still want to make sure you apply full disk encryption on your Linux systems.
Threats against data at rest and how encryption helps
If you’re like most businesses these days, chances are, you’ve already amassed a sizable amount of sensitive data-at-rest (i.e. data stored in storage devices) — data that cybercriminals might want to get their hands on.
But if your network (and the computers in it) is protected by a cordon of state-of-the-art security solutions like Next Generation Firewalls (NGFW), Intrusion Detection Systems (IDS), Security Information and Event Management (SIEM) systems, and others, how in the world can an attacker get hold of that data? Well, the attacker can simply walk into your server room, steal the hard drives from your servers, and access the data in those drives from their own computer.
Protecting data-at-rest with Linux encryption
One way to mitigate this risk is, of course, by stationing security guards, installing CCTV cameras, limiting access, and implementing other physical security measures around your server room. Another way is to apply some sort of Linux full-disk encryption solution.
Linux full-disk encryption renders a Linux drive practically unreadable unless whoever wants to access the stored data provides the right password or key. So, even if a hard disk is stolen, the attacker still won’t be able to retrieve the data.
Since full disk encryption is sometimes difficult to set up and is known to degrade performance of the desktop or server using it, it’s important to know when it’s necessary to be put into use.
When your Linux machine contains sensitive data
Not all Linux machines need to be encrypted, especially not using full-disk encryption. If your Linux machine doesn’t contain any sensitive data, then you probably don’t have to go through all the trouble of encrypting it.
So what qualifies as sensitive data? Personal information (e.g. personal data of your customers and/or employees), financial data, trade secrets, marketing strategies, blueprints, and just about any kind of information that you don’t want an unauthorized individual to have access to. If your Linux machine doesn’t have any of these, then you probably don’t have to encrypt it.
When it stores, processes, or transfers data subject to regulatory compliance
This condition is similar to the previous one but demands even more attention. The reason is that, failure to secure the type of data discussed here can cost hefty fines and stiff penalties. We’re of course referring to data covered by data protection laws and regulations like the Health Insurance Portability and Accountability Act (HIPAA), Payment Card Industry Data Security Standard (PCI DSS), European Union General Data Protection Regulation (GDPR), and so on.
If you’re covered by any of these laws and regulations, and your store, process, or transfer data using your Linux machines, then it might be a good idea to conduct a comprehensive audit to determine if any of those Linux machines are in scope of those specific laws and regulations. If they are, you’ll need to apply some form of encryption, whether a Linux encryption software or hardware.
One great full-disk encryption solution is WinMagic. WinMagic supports all major operating systems, including Linux, Windows, and Mac. It also supports both endpoints and servers, whether physical servers, virtual servers, or cloud-based servers.
When you’re a system administrator
If you’re a system administrator and you manage Linux servers remotely from a Linux desktop, there’s a good chance your desktop contains the SSH private keys you use to access your Linux servers. If this is the case, then you definitely will want to encrypt the hard drive of that desktop.
If that desktop gets stolen or accidentally falls into the wrong hands, your entire network could be at risk. The moment an attacker gets hold of those keys, he/she would be able to gain access to your servers. Once the attacker controls those, he/she can then perform lateral movement inside your network and gain control of other machines inside it as well.
While certainly, not everyone needs to encrypt their Linux devices, it pays to know which particular instances call for Linux encryption. That way, you’ll be able to make an informed decision and implement it if ever it’s needed.