<div dir="ltr"><div class="gmail_quote">2009/2/4 Shachar Shemesh <span dir="ltr"><<a href="mailto:shachar@shemesh.biz">shachar@shemesh.biz</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">Erez D wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
so i though of a solution - use a crypto FS.<br>
but there are many problems with it.<br>
the practical problems are at least:<br>
1. i do not know of a major linux distibution (i.e. redhat/ubuntu etc... ) that fully support crypto-fs out of the box, so if i use it, i will need to do manual changes every time i upgrade the system.<br>
</blockquote></div>
Debian does. The installer even offers to install it for you.</blockquote><div><br>And so does Ubuntu.<br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d"><br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
2. it is not really secured if the key is stored on disk. however if the key is not stored on disk, then the computer can not acces the data without human intervention, which is not good either when it comes to servers.<br>
</blockquote></div>
What I do is to not encrypt everything (which is a good idea anyways). The root file system and all of the service directories are not encrypted, and only the data is. I also tweak the Debian startup sequence to not ask me for the encryption password during boot. This way, the system boots without a password (but does not contain any data), and I use a small script to perform the actual crypted file system mount later (by which time I can log into the machine from ssh).</blockquote>
<div><br>I didn't bother to use it yet (not quite relevant for my desktops) but I think current Ubuntu (8.10) also offers to encrypt only your home directory - so part of your login procedure is to provide the key to mount just the home directory of the particular user. That way you get the PC up, you don't get a performance hit from encryption of data you actually don't need to hide, your data is safe until you login (and then I think it's still accessible only to you), multiple users can share the computer, each with their own key.<br>
<br>All this is implied from installing Ubuntu from scratch on my work desktop last week (finally switched from Debian). No actual experience (yet).<br><br>Cheers,<br><br>--Amos<br><br></div></div></div>