On Thu, Feb 24, 2011 at 9:30 AM, Boyd Stephen Smith Jr.
<bss@iguanasuicide.net> wrote:
On Thursday 24 February 2011 07:03:23 Ron Johnson wrote:
> On 02/24/2011 06:22 AM, Brad Alexander wrote:
> [snip]
>
> > Also, please remember, when the system is running, the filesystem is
> > *decrypted*. Encryption is not going to protect you when the system is
> > running.
>
> So what you/we need are apps which integrate GPG. That way, files
> are only decrypted when necessary.
Depends on what you are trying to defend against. Full-disk encryption is
meant to defend against physically stolen or confiscated servers, drives, or
laptops from being accessed. When a laptop is on, it is generally being
closely observed, so when it is stolen it is usually off. Servers and drives
are harder to move while powered, so they are usually turned off as part of
the act of stealing them. In both cases, accessing the data usually requires
knowledge of the encryption key or the passphrase that unlocks it.
If you want to protect your data from other normal users on the same system,
permissions usually suffice. If you want to protect your data from privileged
users (e.g. root) on a system, give up. They can modify the system to tell
GPG that the memory it has requested is locked, but then capture all the data
written there, and that act could be mostly transparent to both GPG and the
user.
GPG is best used for asymmetrically encrypted transfers of data, or when you
only have a few files to protect and don't feel they justify full disk
encryption.
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/