On 06/27/2010 02:20 AM, markus reichelt wrote:
* Arno Wagner<arno@xxxxxxxxxxx> wrote:
Hmm. You know, encrypted root is a problem and pretty difficult to
do in the rfirt place. Why not just encrypt the critical parts,
like /var /home /root? The rest only holds binaries and config
files anyways, which are not that sensitive...
Are you serious?
Usually encrypting everything is better, otherwise we add many problems here.
Just to randomly pick two of them:
- User must think and know which data are sensitive and avoid to copy them
to unencrypted space. It can happen even without his knowledge
- temporary file somewhere, coredump, whatever.
- using "social engineering"
how many people will set the same password to disk encryption and
his account? If I have /etc/shadow visible, why I should bother
with attacking disc encryption with all its barriers?
I'll run dictionary search for passwords there, pretty good tools
already here.
...
I think that for laptop, encrypting everything is better. And I expect
that after clean shutdown my machine is safe.
All used tools currently providing methods how to do it properly
(I mean dm-crypt/LUKS, loop-aes or Truecrypt).
It is just about properly written init/shutdown scripts. I do not think it is
so complicated to fix it - just reverse initramfs root-fs mapping.
Several similar parts of problems "cutting own throat" are there
(like pvmove on root-fs in LVM, multipath solving the situation when all paths
to underlying device are temporarily gone).
This is nothing completely new.
(And yes, I a quite intentionally hijacked this thread to focus on this shutdown
& encrypted root-fs problem, sorry:-)
Milan
_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
