On Thu, Aug 06, 2009 at 18:29 -0400, Andrew Reid wrote:
> On Thursday 06 August 2009 04:16:42 Siggy Brentrup wrote:
> > Please bear with me, I'm asking this out of curiousity. Why did you
> > encrypt the full root FS? I can understand that you want your $HOME
> > encrypted, to a lesser degree I can follow you even with /etc, /tmp
> > and /var, but why do you take the performance penalty on publically
> > available stuff?
> I'm not the OP, but we do this at work because of policy --
> we require full-disk encryption for portable systems, and
> the dm-crypt scheme doing everything except /boot is considered
> acceptable under the guidelines.
> I think the policy is this way partially because it's an
> easy line to draw, and doesn't involve a lot of guesswork.
> There can also be "leakage" out of your home directory --
> applications sometimes store lists of recently-viewed
> documents in /var, and of course the system logs are
> in /var/log, plus there are dynamic entries in some
> config files, which might expose details of your network
> enviornment -- where are *your* WPA credentials cached?
For the technical part: there's remote logging and you can use mount
-bind to relocate directories that should be encrypted. I prefer
encrypting only the confidential stuff on a by document basis.
IMHO your employer's approach to security and confidentiality is easy
but wrong; it follows the lines "I want both, but don't bother me with
the details." Recently I read a citation (sadly w/o attribution)
"Security is not a state, it's a process".
As for your question, I think you'll find the answer in my 2nd
paragraph you didn't cite here, I'll do it for you:
> > I for my part use a single encrypted 256MB FS on a flash device
> > that fits into my vaio's 'MagicGate'. That's plenty of room for
> > stuff I want to keep secret [snip].
I don't use Wi-Fi with boxes that carry confidential information,
always unplugging the flash before turning the Vaio's wireless switch
on.
That said, I'd like to carry on the discussion of this IMHO important
topic but refrain from hijacking this thread. If anybody is
interested, please drop me a private note at the 2nd address in my
.signature. In case there's more interest than I like to see in Cc
headers, I'm willing to set up a MM list devoted to security and
privacy.
Thanks for listening
Siggy
--
Please don't Cc: me when replying, I might not see either copy.
bsb-at-psycho-dot-informationsanarchistik-dot-de
or: bsb-at-psycho-dot-i21k-dot-de
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Attachment:
signature.asc
Description: Digital signature