Re: [Gnumed-devel] Re: GNUmed (debian) servers and security

[James Busser]

On 28-Jan-08, at 9:46 AM, Andreas Tille wrote:

> This are different layers.  I was talking about encryption of the
> harddisk.  Once it is mounted everything is transparent for  
> postgresql.
> It just helps if somebody plugs out the power cable that you are quite
> safe that he is unable to access your data.

Encryption of the whole hard disk is simple, it is just extremely  
limiting because it requires that a suitable person must be  
physically present to input the key from the console any time that  
the system is rebooted. This would mean that

- if the server is in your office / praxis, the reboot can only be  
done while there is someone in the office who can input the key from  
the console... this means that if the computer should reboot in the  
evening or on the weekend when the doctors may be on call from home  
(e.g. rebooting after a power brownout) the server will remain  
offline until the needed person(s) can be available to physically  
come/go into the office

- the server would also be unable to be kept headless, so you are now  
talking having to keep a monitor and keyboard attached along with the  
ability for someone to interact directly in the physical space which  
sometimes closets poorly allow :-)

... this is why previous discussion suggested that for a production  
server that would run in a medical praxis, the boot volume with the  
OS could be unencrypted (this would permit tech support to access the  
machine for system maintenance and to permit ssh remote login to then  
so that the IT support people (if trusted with the data partition  
key) or one of the doctors or administrators can remotely supply the  
key to mount the data partitions. In one other variation described by  
Tim Churches, the data partition mount key could be kept on USB  
sticks and these could be kept under special on-site lockup.