On Wed, 2006-12-20 at 23:07 +0100, Tomas Mraz wrote: > On Wed, 2006-12-20 at 16:23 -0500, Jeremy Katz wrote: > > Encrypting data? Very interesting. > > Encrypting the OS bits that anyone can download? Much less interesting, > > IMHO > > At least an encrypted swap is a requirement so sensitive data are not > left unencrypted on disk. /tmp and some /var subdirs are also > questionable. > > The swap could be enabled after boot is finished when X server is > running. /tmp and /var could be a tougher problem. swap is straight-forward; you don't really need to have a persistent key there. You could even just remake the swap partition with a new random key on every boot and it's not a big problem[1] For /tmp and /var, you likely want poly-instantiated dirs for the user bits and thus the encryption to be under the control of the user. You could also more generally use ecryptfs here to just do the specific subtrees of each that are cared about Jeremy [1] There are some interesting questions around hibernate, but it mostly requires sitting down and thinking about it -- Fedora-maintainers mailing list Fedora-maintainers@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers -- Fedora-maintainers-readonly mailing list Fedora-maintainers-readonly@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-maintainers-readonly
