On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: > On 02/24/2011 06:22 AM, Brad Alexander wrote: > [snip] > > > Also, please remember, when the system is running, the filesystem is > > *decrypted*. Encryption is not going to protect you when the system is > > running. > > So what you/we need are apps which integrate GPG. That way, files > are only decrypted when necessary. Depends on what you are trying to defend against. Full-disk encryption is meant to defend against physically stolen or confiscated servers, drives, or laptops from being accessed. When a laptop is on, it is generally being closely observed, so when it is stolen it is usually off. Servers and drives are harder to move while powered, so they are usually turned off as part of the act of stealing them. In both cases, accessing the data usually requires knowledge of the encryption key or the passphrase that unlocks it. If you want to protect your data from other normal users on the same system, permissions usually suffice. If you want to protect your data from privileged users (e.g. root) on a system, give up. They can modify the system to tell GPG that the memory it has requested is locked, but then capture all the data written there, and that act could be mostly transparent to both GPG and the user. GPG is best used for asymmetrically encrypted transfers of data, or when you only have a few files to protect and don't feel they justify full disk encryption. -- Boyd Stephen Smith Jr. ,= ,-_-. =. bss@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Attachment:
signature.asc
Description: This is a digitally signed message part.