On Tue, Jun 19, 2007 at 09:36:28 +0930, n0dalus <n0dalus+redhat@xxxxxxxxx> wrote: > > Does full disk encryption have many advantages over directory-based > encryption? It seems like a lot less pain to be able to boot into X > and just have important directories encrypted. If you are going to run things like DMBS on top of an encrypted filesystem you need to know that it is going to have guarantees about when data is written to the disk. dmcrypt is designed to do that (though there is an issue with it on smp systems since 2.6.19 when it switched to work queues). I haven't seen this issue addressed by the other encryption systems being proposed, though I could have easily missed it. > One problem I see in both approaches is access control. Many computers > are used by more than one person, and instead of giving everyone the > one password (and having to change it whenever someone leaves the pool > of trusted people), it might be better to make sure these methods use > username/password combos which can be added and revoked. Only the people that need to boot the machine need the password if you are using dmcrypt with whole partition encryption. If there are several of these, each can have their own password. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
