data security

[Shachar Shemesh]

Erez D wrote:
>
> so i though of a solution - use a crypto FS.
> but there are many problems with it.
> the practical problems are at least:
> 1. i do not know of a major linux distibution (i.e. redhat/ubuntu 
> etc... ) that fully support crypto-fs out of the box, so if i use it, 
> i will need to do manual changes every time i upgrade the system.
Debian does. The installer even offers to install it for you.
> 2. it is not really secured if the key is stored on disk. however if 
> the key is not stored on disk, then the computer can not acces the 
> data without human intervention, which is not good either when it 
> comes to servers.
What I do is to not encrypt everything (which is a good idea anyways). 
The root file system and all of the service directories are not 
encrypted, and only the data is. I also tweak the Debian startup 
sequence to not ask me for the encryption password during boot. This 
way, the system boots without a password (but does not contain any 
data), and I use a small script to perform the actual crypted file 
system mount later (by which time I can log into the machine from ssh).

Hope this helps.
Shachar