Best Practices - Drive Encryption for Linux
|Article:TECH149694|||||Created: 2010-01-07|||||Updated: 2013-09-19|||||Article URL http://www.symantec.com/docs/TECH149694|
Symantec Drive Encryption (previously PGP Whole Disk Encryption) for Linux locks down the entire contents of your Linux system using Drive Encryption Powered by PGP Technology.
Support for Drive Encryption on Linux operating systems began with PGP Desktop 10.0.
When you encrypt an entire disk using Drive Encryption for Linux, every sector is encrypted using a symmetric key. This includes all files including operating system files, application files, data files, swap files, free space, and temp files.
Before encrypting your disk, here are some best practices:
- Ensure the health of the hard disk.
- Choose the encryption options to use.
- Make sure to maintain power throughout encryption.
Ensure Disk Health
Drive Encryption deliberately takes a conservative stance when encrypting drives to prevent a loss of data. Therefore, it is not uncommon to encounter Cyclic Redundancy Check (CRC) errors while encrypting a hard disk.
If Drive Encryption for Linux encounters a hard drive or partition with bad sectors, it will, by default, pause the encryption process. This pause allows you to remedy the problem before continuing with the encryption process, thus avoiding potential disk corruption and lost data.
To avoid disruption during encryption, it is recommended that you start with a healthy disk by correcting any disk errors prior to encrypting.
As a best practice, before you attempt to encrypt your drive, use a third-party scan disk utility that has the ability to perform a low-level integrity check and repair any inconsistencies with the drive that could lead to CRC errors.
The following options are available during the encryption process:
- --dedicated-mode: Uses maximum computer power to encrypt faster; your system is less responsive during encryption.
- --fast-mode: Skips unused sectors, so encryption of the disk is faster.
- --safe-mode: Allows encryption to be resumed without loss of data if power is lost during encryption; encryption takes longer.
Maintain Power Throughout Encryption
Because encryption is a CPU-intensive process, encryption cannot begin on a laptop computer that is running on battery power. The computer must be on AC power. Do not remove the power cord from the system before the encryption process is over.
Regardless of the type of computer you are working with, your system must not lose power, or otherwise shut down unexpectedly, during the encryption process, unless you use the --safe-mode option. Even if you are using the --safe-mode, it is still better not to lose power during the encryption process.
If loss of power during encryption is a possibility or if you do not have an uninterruptible power supply for your computer, be sure to use the --safe-mode option.
Article URL http://www.symantec.com/docs/TECH149694