data security

data security

Amos Shapira amos.shapira at gmail.com
Wed Feb 4 13:09:39 IST 2009 

2009/2/4 Shachar Shemesh <shachar at shemesh.biz>

> Erez D wrote:
>
>>
>> so i though of a solution - use a crypto FS.
>> but there are many problems with it.
>> the practical problems are at least:
>> 1. i do not know of a major linux distibution (i.e. redhat/ubuntu etc... )
>> that fully support crypto-fs out of the box, so if i use it, i will need to
>> do manual changes every time i upgrade the system.
>>
> Debian does. The installer even offers to install it for you.


And so does Ubuntu.


>
>  2. it is not really secured if the key is stored on disk. however if the
>> key is not stored on disk, then the computer can not acces the data without
>> human intervention, which is not good either when it comes to servers.
>>
> What I do is to not encrypt everything (which is a good idea anyways). The
> root file system and all of the service directories are not encrypted, and
> only the data is. I also tweak the Debian startup sequence to not ask me for
> the encryption password during boot. This way, the system boots without a
> password (but does not contain any data), and I use a small script to
> perform the actual crypted file system mount later (by which time I can log
> into the machine from ssh).


I didn't bother to use it yet (not quite relevant for my desktops) but I
think current Ubuntu (8.10) also offers to encrypt only your home directory
- so part of your login procedure is to provide the key to mount just the
home directory of the particular user. That way you get the PC up, you don't
get a performance hit from encryption of data you actually don't need to
hide, your data is safe until you login (and then I think it's still
accessible only to you), multiple users can share the computer, each with
their own key.

All this is implied from installing Ubuntu from scratch on my work desktop
last week (finally switched from Debian). No actual experience (yet).

Cheers,

--Amos
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090204/227ea6ef/attachment-0001.html>

More information about the Linux-il mailing list