Re: Mutt & tmp files -- Root is not my Enemy

To: "Howland, Curtis" <howlandc@kvh.co.jp>
Cc: Petro <petro@auctionwatch.com>, Florian Bantner <f.bantner@axon-e.de>, debian-security@lists.debian.org
Subject: Re: Mutt & tmp files -- Root is not my Enemy
From: Alexander Clouter <alexander.clouter@ic.ac.uk>
Date: Wed, 21 Nov 2001 02:21:14 +0000
Message-id: <[🔎] 20011121022114.B31158@oldfaithful>
Mail-followup-to: "Howland, Curtis" <howlandc@kvh.co.jp>, Petro <petro@auctionwatch.com>, Florian Bantner <f.bantner@axon-e.de>, debian-security@lists.debian.org
In-reply-to: <[🔎] FBBD2DD3FF1ECA42817E762126D2FB0E05B914@jpkvhms2.tel.kvh.co.jp>
References: <[🔎] FBBD2DD3FF1ECA42817E762126D2FB0E05B914@jpkvhms2.tel.kvh.co.jp>

Howland, Curtis [howlandc@kvh.co.jp] wrote:
>
> There is also this How-To:
> 
> http://www.linux.org/docs/ldp/howto/Loopback-Encrypted-Filesystem-HOWTO.
> html
> 
thats a very good one.  If you actually get the stuff at
cryptoapi.sourceforce.net you can do other filesystems other than ext2
(easily). A journalled crypto filesystem on a laptop is a better idea than a
bog standard ext2 one.  For various reasons, otherwise for a desktop/server
environment ext2 crypto is great.

> I've been thinking that a 100 or 500MB encrypted loop device per user,
> mounted as a subdirectory under the individual users home, would be
> effective. It doesn't encrypt the entirety of the disk, nor all of the
> home directory, but could be (for instance) the KDE or GNOME "Desktop"
> folder, and anything there would be hid from prying eyes.
>
a little excessive in size but thats the kind of system I use.  You need to
explain to the users the limits of the encryption and how to effectively use
it.  Also point out the things that *don't* need encrypting.  This will
prevent overloading the machine and also 90% of security is down to the
individual, the other 10% is *assisted* by technology.  They need to know
that this is not a magic block box, you do actually need to know how it works
and how to use it for it to become effective.
 
> The same caviats, "when you're logged in it's wide open" and "it's only
> as good as your passphrase" apply.
> 
> Thoughts?
> 
smartcard, pcmcia memory card for the filesystem.  Smartcards however
currently don't hold very much, something like a couple of kilobytes (of mass
el cheapo production).  pcmcia memory stuff is expensive.  However I think
8 (or less)-16Mb cards can be picked up cheaply second hand.  This would make
a very nice alternative as ISA PCMCIA adapters for desktops are very cheap
and fully supported.  This would also permit you to use your *private* data
on a number of machines and even take stuff home.  Another portable storage
thing is of course zip/clik disks, floppies, etc.

what you have to think about is how much to trust the machine, if you don't
then only a detachable device would work then plugs into the local terminal.

Alex

-- 
 _________________________________________ 
( BOFH excuse #306:                       )
(                                         )
( CPU-angle has to be adjusted because of )
( vibrations coming from the nearby road  )
 ----------------------------------------- 
        o   ^__^
         o  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Attachment: pgptqGdzXHCt0.pgp
Description: PGP signature

Reply to:

References:
- RE: Mutt & tmp files -- Root is not my Enemy
  - From: "Howland, Curtis" <howlandc@kvh.co.jp>

Prev by Date: RE: Mutt & tmp files -- Root is not my Enemy
Next by Date: Re: WAY OT (Re: In Praise of Dos (RE: Mutt & tmp files))
Previous by thread: RE: Mutt & tmp files -- Root is not my Enemy
Next by thread: Re: Root is God? (was: Mutt & tmp files)
Index(es):
- Date
- Thread