Hi, >> Once the filesystem is mounted, it's mounted -- and you trust the kernel >> (and, therefore, root) with everything that's mounted. I can't think >> how it could be any other way -- at least without fundamental changes to >> the architecture of the OS. > > The OS is fine, a special client software is necessary for doing this. > I thought with the windows client FreeOTFE I could realise the scenario > like with the commercial solution "SafeGuard LAN Crypt". Have a look: > > http://www.infoguard.com/index.php?nav=6,84,203&lang=en Quoting this text: > Only the SafeGuard® LAN Crypt administrator has the right to allocate keys for > files and directories. So it is not the "system administrator", but the "SafeGuard® LAN Crypt administrator", who can read your data. Where is the difference? Quoting the same text again: > In spite of unlimited access rights, the system administrator has no > possibility to read files which have been encrypted before. this is true for luks (and any other encryption method in unix-like systems) as well. "root" can not read the data, that was encrypted before. _But_ he can read it, as long as the user is accessing it, due to the necessity, that the key has to be available to the local process, that decrypts the data for the user. regards, Lars --------------------------------------------------------------------- - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx
