[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Decrypt, Edit and Encrypt a File

Douglas A. Tutty wrote:
> On Wed, Apr 08, 2009 at 11:26:20AM -0400, H.S. wrote:
>> Douglas A. Tutty wrote:
>>> On Tue, Apr 07, 2009 at 06:17:56PM -0400, H.S. wrote:
>>>> Douglas A. Tutty wrote:
>>>>> On Tue, Apr 07, 2009 at 05:46:31PM -0400, H.S. wrote:
>>>>>> Douglas A. Tutty wrote:
>  
>>> $ cat /proc/swaps:
>>> Filename			Type		Size	Used	Priority
>>> /dev/mapper/sda2_crypt		partition 	979956 	0 	-1
>>>
>>> $ mount | grep -i /tmp
>>> /dev/mapper/sdb1_crypt on /var/tmp type ext3 (rw,data=journal)
>>> tmpfs on /tmp type tmpfs (rw,size=500m)
>  
>>> There are a limited number of place where a piece of software can leak
>>> info:
>>>
>>> 1.	to /tmp:		Its encrypted
>>> 2.	to /var/tmp:		Its encrypted
>>> 3.	to somewhere on ~/	I have /home encrypted
>>> 4.	left in swap		its encrypted
>>> 5.	in a core dump after a crash:	use ulimit (see man bash) to
>>> 					limit core dump size to 0
>>>
>>> Of course, the uncrypted data is in memory, so anything that can read
>>> any memory segment can read your data.
>  
>  
>> I am curious, what is the performance cost to have your ~/ and /tmp and
>> /swap encrypted? What kind of machine are you using?
> 
> I see no performance cost and I've done this on a PII-233 on old IDE
> disks and now on a PII-450 with two SCSI disks.
> 
> Think of it this way:  Data has to go out to disk.  That takes a lot of
> time compared to moving data in the memory.  It doesn't take that much
> time to start the encryption process (which can continue while the data
> is streaming to the disk).  I'm sure its more complex than this, but
> that's the idea.
> 
> If I want to have the fastest streaming possible, I'll have a
> non-encrypted partition in a convenient spot, say /var/local/cache but
> I've found that I haven't had a problem without it.  I suppose it may be
> important if you're doing streaming video or something, but you'd want a
> separate raid array for that anyway.
> 
>> Also, since you have to use mount, which requires root privileges, the
>> above method is not possible for a normal (non-root) user, is it?
> 
> These partitions are all mounted on boot.  I set up the encrypted
> partitions during the install (Etch).  Here's fstab:
> <SNIP>
> 
> Thus, its totally transparent to the normal user.  I have to enter the
> pass phrases at boot; I've been too lazy to set it up to only require
> one, so I have to do it three times (one for each encrypted partition)
> (swap doesn't need a passphrase).  LUKS is flexible enough that you
> could use a USB key if you like.
> 
> Doug.
> 
> 

Great! Thanks.


-- 

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.
Reply to: