[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Etch to 5.0.2 upgrade failed - Encrypted filesystem will not boot

On Thursday 06 August 2009 04:16:42 Siggy Brentrup wrote:
> On Tue, Aug 04, 2009 at 18:50 -0500, lineman@halo.nu wrote:
> > Hi -
> >
> > I have a Debian Etch system which I recently upgraded to v5.0.2.
> > The file system was encrypted with LUKS at install time.
> Please bear with me, I'm asking this out of curiousity.  Why did you
> encrypt the full root FS?  I can understand that you want your $HOME
> encrypted, to a lesser degree I can follow you even with /etc, /tmp
> and /var, but why do you take the performance penalty on publically
> available stuff?
  I'm not the OP, but we do this at work because of policy --
we require full-disk encryption for portable systems, and
the dm-crypt scheme doing everything except /boot is considered
acceptable under the guidelines.

  I think the policy is this way partially because it's an
easy line to draw, and doesn't involve a lot of guesswork. 
There can also be "leakage" out of your home directory --
applications sometimes store lists of recently-viewed
documents in /var, and of course the system logs are 
in /var/log, plus there are dynamic entries in some 
config files, which might expose details of your network 
enviornment -- where are *your* WPA credentials cached?

  So, encrypting as much as you can meets the confidentially
need in an easy-to-describe, easy-to-enforce, and relatively
easy-to-implement way. 

				-- A.
Andrew Reid / reidac@bellatlantic.net

Reply to: