Posted on | November 4, 2009 | No Comments
A lot of you have probably, at one time or another, had to deal with PCI/DSS compliance. I’ve dealt with it too, but this is the first time that I’ve really confronted conforming to HIPAA and HITECH, which dictate how medical records should be stored.
EncFS is the perfect solution in such a case. Its a pass through file system, which means encrypted contents are stored outside of the actual mount point. For instance, you would have .secure/ which contains the encrypted bits, and secure/ which serves as the mount point to access them.
This allows for awesome flexibility when dealing with things like backups, allowing users to mount and unmount file systems (don’t want root snooping around, do we?) and granular archiving of files that have not been touched in years. Why is it so flexible? The FS does not have to be mounted (or decrypted) to do these operations.
Getting it going on CentOS 5 was a bit of a pain. I needed to build from source, which led to having to manually compile libboost, compile a logging library (by the same author) that was not in rpmforge and do a kernel update to get FUSE working, but after that it was solid.
The other up side is web applications can mount and unmount storage volumes, ensuring that nothing sensitive is left mounted when nobody is using it. That’s just out of grasp for most other methods, including LUKS + LVM. Root is taken completely out of the picture.
I have not had a chance to fire up bonnie ++ with it yet, but will.
Its a great addition to your tool box if your job entails keeping data safe.