I am not sure if the UTM has one or not but most of the time, firewalls do not have disk encryption because of the resources needed to run everything else. Other measures are taken to safeguard the device physically and logically.
What's your purpose for this issue :-) ? Your Firewall usually should not get stolen as maybe your Laptop can be...
I am guessing he is worried about the logs. If his devices are walking off, he needs to address physical security - big dog and/or a big gun and/or a real data center with anti-tailgating personnel trap(s), bio-metric entry controls, cameras, locking computer cabinets or racks, and a big security guard named Biff.
First of all, there are more than one person who is responsible for this device and there are situations when someone or some organizations can confiscate whole device, in reality utm is same as usual server just with routing, logging capabilities. Why usual servers need to be encrypted in some situations, think about it and you will get answer, by the way looks like its possible to integrate luks, because core distro is suse ?
p.s it should degrade performance if cpu have aes instructions.
Even if the CPU has the Intel AES instruction set, there WILL be a measurable difference in performance; how much depends on the power of the CPU, and disk subsystem speed.
Frankly I don't see the need for this -- none of the other commercial vendors that are commonly used have such a feature.
If you feel so strongly about it, you should go to UTM (Formerly ASG) Feature Requests: Hot (1891 ideas) and post a feature request there. This forum is not the place to request new features, but the Sophos product managers do review what is posted on the Feature site on a regular basis.
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
I am guessing he is worried about the logs. If his devices are walking off, he needs to address physical security - big dog and/or a big gun and/or a real data center with anti-tailgating personnel trap(s), bio-metric entry controls, cameras, locking computer cabinets or racks, and a big security guard named Biff.
Indeed Greg -- or at a minimum, just set the onboard logging to zero (1 day I guess) retention and log to a Syslog server offsite, etc.
Of course, if one got physical control of the device, they could still lift the configuration files, etc. off of it.
In the end it's about physical security.
CTO, Convergent Information Security Solutions, LLC
Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
What about using a harddrive with integrated encryption, like FDE SSDs? The problem with whatever drive encryption: Who will enter the passphrase at boot? Btw: It's possible to confiscate a *running* UTM and *keep it running* while confiscating [:)]
In that case use Hyper-V as hypervisor and use Bitlocker to encrypt the whole drive and install UTM as a virtual machine on Hyper-V. You'll still have to physically protect the server, but at least al the disks are encrypted.
Managing several Sophos UTMs and Sophos XGs both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.
