Re: Advice on raid/lvm
On Thu, Apr 09, 2009 at 04:43:17PM +0200, martin f krafft wrote:
> also sprach Douglas A. Tutty <dtutty@vianet.ca> [2009.04.09.1532 +0200]:
> > > On the other hand, having / in LVM means:
> > > * you can enlarge / when necessary;
> >
> > You should never have to enlarge a 500 MB /
>
> I bet you'll be wrong in 10 years.
What load of gunk will be dumped into / to take it bigger than 500 MB?
If ever / becomes bigger than 500M, then booting my old boxes will again
require a separate /boot (so that they can boot lower than the 504 MB
limit).
>
> > > * you can encrypt / if desired;
> >
> > Why would you need / encrypted (if swap, /tmp, /home, and parts of /var
> > are encrypted)?
>
> Because it contains e.g. /bin/ls and you don't want that to be
> trojaned. Obviously, an integrity checker can also help.
>
How does encrypting / prevent trojaning a binary? I suppose it prevents
an attacker gaining root when the box is turned off and not physically
secured, but I don't know. Does encrypting root counteract the age-old
wisdom that physical acess to the hardware will allow root compromise?
An integrity checker would only help if its being run from a
known-secure box, not the box with the questionable /bin/ls.
Encryption is great to protect secret content, while the box is
powered-off. It doesn't help while the box is powered-on (since the
filesystems will be decrypted).
Doug.
Reply to: