1

I have an application that needs to meet certain security and compliances. And this application needs to be deployed on a private cloud/on-prem setup (The destination platform is not yet confirmed). In order to satisfy certain compliance, I need to achieve full disk encryption.

As I don't have much experience in deploying to private cloud / on-prem setup, how can I achieve this? In public clouds like AWS, GCP, etc disk encryption will be handled by themselves, we just need to specify that.

The OS that I'm using is Ubuntu. When I looked into Ubuntu full disk encryption methods, it mentioned that full disk encryption can only be achieved during installation (link). I got links to enable encryption of '/home' directory also. But, as the application data (docker) and the database data are not stored under '/home' directory it won't satisfy my requirement.

What can I do to achieve my use case. Or is this a setup that needs to be fully done by the platform provider? Please put some lights on this. Any help is very much appreciated.

Neron Joseph
  • 287
  • 1
  • 5
  • 10
  • It depends on the threat you are protecting from. Is that about when a physical disk fails (which could have received the VM's data) and is replaced the data won't be leaked to a third party? Likewise, I don't understand why you think it's acceptable that "In public clouds like AWS, GCP, etc disk encryption will be handled by themselves". So you waive any at-rest protection from the remote host provider? Is that ok with the compliance you are trying to adhere to? – A.B May 17 '21 at 01:10
  • I mean, with public clouds like AWS, GCP, etc we can enable disk encryption by a single click, and this data at rest encryption will be handled by AWS (in case of AWS) by AWS managed keys. But here in my case, the client's platform may not be a vetted private cloud setup. It may be an on-prem VM that I may have only SSH or VPN access. My doubt is, in that case, whether full disk encryption is the full responsibility of the client, or do I need to try to encrypt the disk full if client has not have disk encryption enabled. – Neron Joseph May 17 '21 at 04:39

0 Answers0