On Pá, bře 24, 2006 at 04:59:41 -0500, Jeremy Katz wrote:
> On Fri, 2006-03-24 at 17:50 +0100, Karel Zak wrote:
> > On Thu, Mar 23, 2006 at 09:31:19AM -0500, Daniel J Walsh wrote:
> > > Laptops have becoming the standard machine for people, replacing the
> > > desktop. We need to consider defaulting FC6 with encrypted filesystem
> > > or at least homedirs out of the box. This should be a key feature of FC6.
> >
> > I don't think that encrypted filesystem is a good way. I think better
> > idea is support for encrypted devices (partitions). It's solution
> > independent on filesystem and it's useful for swaps too. For more
> > details see cryptsetup-luks and dm-crypt.
>
> The problem is that encrypting block devices in a user-friendly fashion
> kind of sucks.
I think the original post was about laptop users.
> * Encrypting the rootfs's block device sucks as you need to be able to
> get a passphrase or whatever at boot-time before you have X (... and
> thus can display the proper fonts) and before you have a sane keyboard
> map.
> * You don't want an encryption that's global across all of /home, you
> really want to encrypt each user's home directory separately so that
> they can access their own stuff without needing any sort of admin
Sorry, but privacy on system where someone other has root permissions
is illusion only. I don't understand how could be really safe system
where admin is able to modify kernel or some system util and steal
your password (or private key or whatever).
> access. But you don't want to require a separate block device per user
> as this is an administration nightmare.
>
> For some cases (eg, swap, removable devices), block device level can
> make a lot of sense. But for things like home directories, it kind of
> sucks. :-/
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
