On Mon, Feb 21, 2011 at 2:00 AM, Heddle Weaver
<weaver2world@gmail.com> wrote:
On 21 February 2011 15:32, Erwan David
<erwan@rail.eu.org> wrote:
On 21/02/11 05:05, Ron Johnson wrote:
> On 02/20/2011 09:46 PM, Heddle Weaver wrote:
>> Greetings all,
>>
>> looking at the collective knowledge factor, what's the best disc
>> encryption package?
>
> Do you want to encrypt *everything* of just a few folders?
Everything, including swap.
Like Erwan, I use cryptsetup/LUKS. Doing so through the installer will allow/require you to encrypt swap. However, you will be unable to encrypt /boot. The boot manager will need to access /boot to be able to access cryptsetup to decrypt the filesystems.
That said, if you don't want a decrypted /boot living on your hard drive, you can insert a thumb drive (512MB-1GB if you can find one that small) during install and configure it as /boot. Have a backup stick and regularly rsync it to account for updated packages, etc as well as in case the first drive fails. I have done this on a couple of laptops.
>
>> What's everybody using?
>> Two examples of Xzibit this week and hash changes showing up in the
>> logs.
Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. I am not familiar with the xzibit rootkit, but you should probably be looking more toward an IDS/IPS (intrusion detection/prevention system), such as snort, ossec, etc rather than encryption as your defense...try and have multiple layers of security, so that bypassing one will trigger another.
--b