Re: Musings about on-disk encryption in Fedora Core

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2004-07-05 at 21:54, W. Michael Petullo wrote:
> >> I am working on implementing encrypted root filesystem support to  
> >> mkinitrd.  See  
> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124789 for more
> >> information and an patch.
>  
> > I looked at the patch any I see the problem that you need to call
> > mkinitrd with certain arguments in order for this to work. This  
> > should just kind of determine the parameters (i.e. read them from a  
> > config file written while creating the encrypted root device) used on  
> > the current root fs and apply them automatically so that calls to  
> > mkinitrd from e.g. the kernel pkgs' %post scripts work.
> 
> Okay, that's a great point.  Where should the configuration file be?  / 
> etc/sysconfig/rootfs would get my vote.

ACK as far as I'm concerned.

> If my system password is not unknown to others then my encryption  
> password is probably no good either.  I think root has to be trusted in  
> most cases.  I would be interested to hear any arguments that "only  
> mount[ing] the encrypted, potentially sensitive stuff when you need it"  
> would be more secure than unmounting encrypted volumes a login time  
> (assuming a strong system authentication token).

If I have a different password, there is no representation of it on disk
(like crypt() or MD5 hashes of a login password). There's a reason my
PGP pass phrase is different from my login password as well ;-). If one
is compromised, the other isn't.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux