On Pá, bře 24, 2006 at 04:59:41 -0500, Jeremy Katz wrote: > On Fri, 2006-03-24 at 17:50 +0100, Karel Zak wrote: > > On Thu, Mar 23, 2006 at 09:31:19AM -0500, Daniel J Walsh wrote: > > > Laptops have becoming the standard machine for people, replacing the > > > desktop. We need to consider defaulting FC6 with encrypted filesystem > > > or at least homedirs out of the box. This should be a key feature of FC6. > > > > I don't think that encrypted filesystem is a good way. I think better > > idea is support for encrypted devices (partitions). It's solution > > independent on filesystem and it's useful for swaps too. For more > > details see cryptsetup-luks and dm-crypt. > > The problem is that encrypting block devices in a user-friendly fashion > kind of sucks. I think the original post was about laptop users. > * Encrypting the rootfs's block device sucks as you need to be able to > get a passphrase or whatever at boot-time before you have X (... and > thus can display the proper fonts) and before you have a sane keyboard > map. > * You don't want an encryption that's global across all of /home, you > really want to encrypt each user's home directory separately so that > they can access their own stuff without needing any sort of admin Sorry, but privacy on system where someone other has root permissions is illusion only. I don't understand how could be really safe system where admin is able to modify kernel or some system util and steal your password (or private key or whatever). > access. But you don't want to require a separate block device per user > as this is an administration nightmare. > > For some cases (eg, swap, removable devices), block device level can > make a lot of sense. But for things like home directories, it kind of > sucks. :-/ Karel -- Karel Zak <kzak@xxxxxxxxxx>