:: [DNG] Full disk encryption (was Re:…
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Olaf Meeuwissen
Date:  
À: Didier Kryn
CC: dng
Anciens-sujets: Re: [DNG] some ASCII issues
Sujet: [DNG] Full disk encryption (was Re: some ASCII issues)
Hi,

Didier Kryn writes:

> Le 28/06/2017 à 20:33, Rick Moen a écrit :
>> Quoting Didier Kryn (kryn@???):
>>
>>>      I don't see any reason to encrypt /usr. You might like to
>>> encrypt /etc because it contains user names and (already encrypted)
>>> passwords. But definitely there is no reason to encrypt everything.
>> /home would be where I keep anything that's sensitive.  I'm unclear on
>> why usernames in /etc are deemed sensitive, but I'm sure needs differ.

>>
>> Temporary files in /tmp are sometimes a little sensitive and sometimes
>> greatly so. (It's usually a tmpfs on my systems.) Operational paranoia
>> suggests keeping it at least cleaned up frequently, if you're going to
>> bother to have /home as a dmcrypt filesystem. That's where tmpfs is
>> actually helpful in the sense that erasure means a file from there is
>> truly gone.
>
>      Sure /home is the first place one thinks of encrypting and /tmp is
> the second, together with possible other fancy dirs.


The mail and print spool areas below /var/ spring to mind. Your log
files might contain plain text password if users accidentally entered
their password where they were supposed to enter their username. There
are probably more "corner cases" we can think up.

Considering that, encrypting the whole disk is just the most fool proof
way to go about things.

Made possible by libreboot, this "fool" has even /boot/ encrypted ;-)
Hey, my hashed grub passwords are in there!

> Encrypting passwd and the like would just add a little of
> security-through-obscurity by even hiding the usernames; this is why I
> considered /etc as a third (non-obvious) thing to encrypt; /etc also
> contains every local configuration, and it might make sense to hide it
> all.
>
>      To simplify, all of /home and /tmp aren't really part of the OS.
> The OS can boot without them. All the rest is the OS and is the same as
> any other install of the same OS; and there isn't any reason to encrypt
> something which is published and widespread.


Hmm, /var/ is arguably not part of the rest of the OS. Ditto for /srv/,
/opt/ and /usr/local/. But then again, who uses those.

Hope this helps,
--
Olaf Meeuwissen, LPIC-2            FSF Associate Member since 2004-01-27
 GnuPG key: F84A2DD9/B3C0 2F47 EA19 64F4 9F13  F43E B8A4 A88A F84A 2DD9
 Support Free Software                        https://my.fsf.org/donate
 Join the Free Software Foundation              https://my.fsf.org/join