FIPS-140 validated OSS data-at-rest encryption

[Dan Risacher]

Given the mandates for data-at-rest encryption, I think we should get
some OSS works-with-windows data-at-rest encryption product FIPS-140
validated, such as Truecrypt, FreeOTFE or DiskCryptor.

Unfortunately, neither Truecrypt nor FreeOTFE have OSI-approved
licenses... although both licenses are pretty open.

DiskCryptor is GPLv3, but I don't know too much about it since most of
the forums appear to be in Russian.

Are there any alternatives that I missed?

[Wheeler, David A]

Hmm, not sure I can add much, but I'll try.

There are many kinds of "data-at-rest" encryptors, ranging from single data element,
Single file, directory trees, volumes, and whole-disk.
I found a discussion here that might be relevant:
http://www.infolawgroup.com/tags/data-at-rest/

Since OpenSSL is FIPS-certified, it might be easier to build on that.

I know that 7-zip can encrypt/decrypt archives:
http://www.7-zip.org/

You can get Windows with "Bitlocker" (not OSS, but you're already not OSS with Windows).

If you use self-encrypting drives, then the problem changes (the encryption becomes part of the drive).

--- David A. Wheeler

[Daniel Risacher]

Most of us working on actual government machines (or laptops anyway)
these days are mandated to use whole-disk encryption with pre-boot
authentication. I believe there is a JTF-GNO CTO to that effect and
DoD CIO policy also.

(Most of OSD is using DataArmor. I don't recall what DISA was using,
but it was something different.)

I am suggesting that it would be useful to have a plausible OSS
alternative in that space.

> --
> You received this message because you are subscribed to the Google Groups "Military Open Source Software" group.
> To post to this group, send email to mil...@googlegroups.com.
> To unsubscribe from this group, send email to mil-oss+u...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/mil-oss?hl=en.
>
>

[james]

Have you checked out truecrypt?

http://www.truecrypt.org/legal/license

It appears to have some sort of open source licensing and according to
wikipedia's Comparisons has WDE for Windows.

http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

On Feb 18, 12:48 am, Daniel Risacher <drisac...@gmail.com> wrote:
> Most of us working on actual government machines (or laptops anyway)
> these days are mandated to use whole-disk encryption with pre-boot
> authentication.  I believe there is a JTF-GNO CTO to that effect and
> DoD CIO policy also.
>
> (Most of OSD is using DataArmor.  I don't recall what DISA was using,
> but it was something different.)
>
> I am suggesting that it would be useful to have a plausible OSS
> alternative in that space.
>

[David Egts]

On Thu, Feb 18, 2010 at 4:03 PM, james <jamesl...@gmail.com> wrote:
> Have you checked out truecrypt?
>
> http://www.truecrypt.org/legal/license
>
> It appears to have some sort of open source licensing and according to
> wikipedia's Comparisons has WDE for Windows.
>
> http://en.wikipedia.org/wiki/Comparison_of_disk_encryption_software

Fwiw, the Fedora folks won't consider TrueCrypt until the licensing
terms are more agreeable for their purposes...

http://fedoraproject.org/wiki/ForbiddenItems#TrueCrypt
https://bugzilla.redhat.com/show_bug.cgi?id=454667

I don't know if the government folks would have similar concerns, but
I figure I'd mention it just in case.

Dave

[John Scott]

I won't use something that has a non-standard license

--
------------------------------------------------------------------
John Scott
< johnm...@mindspring.com >
<     jms...@gmail.com      >
ph 240.401.6574