Re: Keeping files away from users

[Adam ENDRODI <borso@vekoll.saturnus.vein.hu>]

On Thu, Jun 05, 2003 at 10:44:47AM +0200, Lars Ellenberg wrote:
> 
> or keep an encrypted copy of all relevant files separately, and on
> bootup / service startup you decrypt it temporarily to the correct
> location, start the service, and unlink it again (after you wiped it
> with garbage, of course ;-] ). (will probably not work if services try
> to be smart and reread their conf files on a regular basis...)

I'm almost certain it's a bad idea for two reasons:
 -- only data is encrypted, not file system metadata.  This means
    an attacker might find additional information you wouldn't
    share otherwise e.g. extended attributes
 -- you just don't know where all the pieces of a sensitive file
    during its lifetime are scattered on your disk.  Some bits
    may remain here or there--who knows?  There's no guarantee
    that overwriting the file with garbage (wiping) destroys
    the staying bits.

A few months ago there was a thread on this topic on
linux-fsdevel in which you'll find these points explained in more
detail.

bit,
adam

-- 
1024D/37B8D989 954B 998A E5F5 BA2A 3622  82DD 54C2 843D 37B8 D989      
finger://borso@vekoll.vein.hu | Some days, my soul's confined
http://www.keyserver.net | And out of mind
Sleep forever