Re: crypto file system

To: debian-user@lists.debian.org
Subject: Re: crypto file system
From: Jonathan Schmitt <jonathan.schmitt@informatik.uni-augsburg.de>
Date: Thu, 24 Feb 2005 09:46:50 +0100
Message-id: <[🔎] 200502240946.50690.jonathan.schmitt@informatik.uni-augsburg.de>

Hi back,...

> Stop. You are right. I misunderstood you.
> I thought you want to exported the fs-image.
> (But don't use journal-fs)
> If you export the data only, there shouldn't be any problem.

So let's check whether or not I got You right. Say, I export the raw 
loop-file, that contains the encrypted file system via NFS. If I mount this 
file loop-back on several computers and concurrently write or read, the file 
system cannot get screwed up (only because of the concurrent access)?

> Well every encrypted file is stored in cleartext while editing. Even if you 
> use an encrypted partion. (In this case the key is stored in RAM and can be 
> recovered locally)

That's right. However, I think it is a difference, whether the file is 
unencrypted in the memory or unencrypted lying somewhere on the hard disk. If 
it is unencrypted in the memory, it is much more difficult to obtain. I 
think, we will agree on the fact, that 100% security is not possible, 
however, it doesn't hurt to make it as hard as possible for the attacker.

> Not If you encrypt your working-directories randomly. Every time you boot,
> you get a clean, new tmp and data recovery is impossible due to encryption.

Yes, would be a fine solution. However, You have to factor in the human factor 
here. If You have one man in the chain, who decides that it is reasonable 
enough to think no one hacks his machine and such precautions are a waste of 
time and effort than the hole security concept falls apart. Therefore, I'm 
looking for a solution that is transparent and as easy to use as possible (at 
least, easier to use then to go around...).

> Well, I haven't used it.
> CFS is (imho) can be substituted with ssh and NFS-over-TCP.
> Be aware, that CFS is quite obsolete.

Is the data encrypted on the server, when using ssh over NFS? That's one thing 
that would really be nice...
Our data is not so sensitive, that 3DES or blowfish would be insufficient to 
protect it. To put it another way, its highly valuable but only over a short 
amount of time. Usually, its less time than the nine days, it took them last 
time to crack 3DES with this specialized computer.
Our greater concern is, that there may be exploitable security holes within a 
program packages, that has not been maintained for more than two years, plus, 
it won't run on some of our machines...

Thanks for Your help,
Jonathan

Reply to:

Prev by Date: Re: Spell checker doesn't seem to work with Openoffice html/writer
Next by Date: GTK2.0
Previous by thread: Re: crypto file system
Next by thread: Re: crypto file system
Index(es):
- Date
- Thread