Re: crypto file system
Hi back,...
> Stop. You are right. I misunderstood you.
> I thought you want to exported the fs-image.
> (But don't use journal-fs)
> If you export the data only, there shouldn't be any problem.
So let's check whether or not I got You right. Say, I export the raw
loop-file, that contains the encrypted file system via NFS. If I mount this
file loop-back on several computers and concurrently write or read, the file
system cannot get screwed up (only because of the concurrent access)?
> Well every encrypted file is stored in cleartext while editing. Even if you
> use an encrypted partion. (In this case the key is stored in RAM and can be
> recovered locally)
That's right. However, I think it is a difference, whether the file is
unencrypted in the memory or unencrypted lying somewhere on the hard disk. If
it is unencrypted in the memory, it is much more difficult to obtain. I
think, we will agree on the fact, that 100% security is not possible,
however, it doesn't hurt to make it as hard as possible for the attacker.
> Not If you encrypt your working-directories randomly. Every time you boot,
> you get a clean, new tmp and data recovery is impossible due to encryption.
Yes, would be a fine solution. However, You have to factor in the human factor
here. If You have one man in the chain, who decides that it is reasonable
enough to think no one hacks his machine and such precautions are a waste of
time and effort than the hole security concept falls apart. Therefore, I'm
looking for a solution that is transparent and as easy to use as possible (at
least, easier to use then to go around...).
> Well, I haven't used it.
> CFS is (imho) can be substituted with ssh and NFS-over-TCP.
> Be aware, that CFS is quite obsolete.
Is the data encrypted on the server, when using ssh over NFS? That's one thing
that would really be nice...
Our data is not so sensitive, that 3DES or blowfish would be insufficient to
protect it. To put it another way, its highly valuable but only over a short
amount of time. Usually, its less time than the nine days, it took them last
time to crack 3DES with this specialized computer.
Our greater concern is, that there may be exploitable security holes within a
program packages, that has not been maintained for more than two years, plus,
it won't run on some of our machines...
Thanks for Your help,
Jonathan
Reply to: