[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Advice on raid/lvm

On Thu, Apr 09, 2009 at 04:43:17PM +0200, martin f krafft wrote:
> also sprach Douglas A. Tutty <dtutty@vianet.ca> [2009.04.09.1532 +0200]:
> > > On the other hand, having / in LVM means:
> > > * you can enlarge / when necessary;
> > 
> > You should never have to enlarge a 500 MB /
> 
> I bet you'll be wrong in 10 years.

What load of gunk will be dumped into / to take it bigger than 500 MB?  

If ever / becomes bigger than 500M, then booting my old boxes will again
require a separate /boot (so that they can boot lower than the 504 MB
limit).  

> 
> > > * you can encrypt / if desired;
> > 
> > Why would you need / encrypted (if swap, /tmp, /home, and parts of /var
> > are encrypted)?
> 
> Because it contains e.g. /bin/ls and you don't want that to be
> trojaned. Obviously, an integrity checker can also help.
> 

How does encrypting / prevent trojaning a binary?  I suppose it prevents
an attacker gaining root when the box is turned off and not physically
secured, but I don't know.  Does encrypting root counteract the age-old
wisdom that physical acess to the hardware will allow root compromise?

An integrity checker would only help if its being run from a
known-secure box, not the box with the questionable /bin/ls.

Encryption is great to protect secret content, while the box is
powered-off.  It doesn't help while the box is powered-on (since the
filesystems will be decrypted).  

Doug.
Reply to: