Top-post cause of BB :-( Private keys (if stored locally), for outgoing traffic, should reside in the users home-dir. Passwords should be replaced multi-factor strong auth's: card/token plus PIN. Any alterations of filesystem beyond /home can be detected+reported. Full disc encryption on a athom demands some extra patience :-) ----- Oorspronkelijk bericht ----- Van: Bill Davidsen [mailto:davidsen@xxxxxxx] Verzonden: Saturday, June 29, 2013 10:07 PM W. Europe Standard Time Aan: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> Onderwerp: Re: retrofitting LUKS encryption on installed system J.Witvliet@xxxxxxxxx wrote: > -----Original Message----- > From: users-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:users-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Fred Smith > Sent: Friday, June 28, 2013 3:42 PM > To: users@xxxxxxxxxxxxxxxxxxxxxxx > Subject: retrofitting LUKS encryption on installed system > > I've got a F19 installation that I'd like to turn into a fully encrypted > system with LUKS. > > There are many howtos on the web for encrypting a partition, but they > all show doing it to /home. > -----Original Message----- > > No, just re-install. > One partition with /boot and another with an encrypted volume-group, holding /, swap and the rest. > > But before embarking on that trip, do you really need full disk encryption? > I mean, the content of /usr is on any fedora-cd ;-) And when up-and-running, everything is unlocked. > > The only valid reason I can think about, is that other people have physically access to your machine and could get root-access by booting from cd/dvd, and might alter your system. > If they have secret access they can install evil devices, but if you are protecting against theft (laptops) or someone with a search warrant (NSA) comes and takes your drives. > It surely works, but at a performance price. And the certainty that you have to enter the LUKS-key each time you boot. > The only safe place to store password info is in your head. If one other person has it it's not a secret, so you have to decide if losing the data is worse than having someone else get it. That's a policy decision, on-technical. > ______________________________________________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten. > > This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. > -- Bill Davidsen <davidsen@xxxxxxx> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
