Re: Full Disk Encryption

To: debian-user@lists.debian.org
Subject: Re: Full Disk Encryption
From: Brad Alexander <storm16@gmail.com>
Date: Sat, 26 Nov 2011 16:37:38 -0500
Message-id: <[🔎] CAKmZw+a_fHEF-QzuwXsKNhDh3jB9h7qzKhdVCygZOu8878cgmA@mail.gmail.com>
In-reply-to: <[🔎] slrnjd2628.3g0.curty@einstein.electron.org>
References: <[🔎] 20111126104529.7927b6f1@shiva.selfip.org> <[🔎] CAKmZw+bTfaP5JBrggwh35E9JurR15_ATtpmakr-DHC0js9BT6w@mail.gmail.com> <[🔎] slrnjd2628.3g0.curty@einstein.electron.org>

Indeed I am. For several reasons.

First off, it is the path of least resistance. If I LUKS encrypt the whole banana, I only need one passphrase or key file for the entire thing. If I have to manually decrypt a number of filesystems, I end up having to type multiple passphrases (best security practice says each should have a different passphrase). Yes, I know using keyfiles, I could work around this.

The second reason is that there are several places other than /home where data I would probably want to encrypt live. /etc comes to mind...And /root, on the same principle as encrypting /home...And if encrypting /var falls into the same logic (not encrypting such things as /var/log or /var/cache), then we should at least encrypt /var/lib, nominally /var/mail, and any other directories (e.g. subversion, mediawiki, mysql, etc). Plus if you put anything in /usr/local (opsview places its files there), since the encrypting /usr would include standard packages...Oh, and we should probably do /opt, since Nessus installs everything into that directory tree. So managing this would become a headache after a while, with each machine having its own individual list of encrypted directories. No, I just encrypt the entire thing and if I get some stuff that is standard, so be it. Besides, then it is only one encrypted portion to decrypt rather than 10 or 11. I'm not sure how much of a performance hit having separate directories encrypted as opposed to a single large one. Plus there is always the chance that you will miss something. It very quickly turns into a logistical nightmare that doesn't scale very well.

That is the reason I encrypt the entire banana rather than trying to encrypt the peel.

--b

On Sat, Nov 26, 2011 at 11:49 AM, Curt <curty@free.fr> wrote:

On 2011-11-26, Brad Alexander <storm16@gmail.com> wrote:
>
> Hi,
>
> I have been using full-disk encryption on my laptop for several years over
> several laptops. My current one is a Dell Latitude E6500 with a 2.66GHz
> Core2Duo P9600 with 4GB of RAM, and the lag from encryption is not
> noticeable.

There's something I'm not getting. You're encrypting the freely available,
open-source operating system? Why would anyone do that?

Or is just to make it simpler, you encrypt the whole banana, even though
you don't care about the peel?

I've been thinking about encrypting certain folders in my home directory
that contain sensitive information. Is there an easy way to do that?

Well, forget it, I'm hijacking the thread.

--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: [🔎] slrnjd2628.3g0.curty@einstein.electron.org" target="_blank">http://lists.debian.org/[🔎] slrnjd2628.3g0.curty@einstein.electron.org

Reply to:

Follow-Ups:
- Re: Full Disk Encryption
  - From: Curt <curty@free.fr>

References:
- Full Disk Encryption
  - From: "J. Bakshi" <bakshi12@gmail.com>
- Re: Full Disk Encryption
  - From: Brad Alexander <storm16@gmail.com>
- Re: Full Disk Encryption
  - From: Curt <curty@free.fr>

Prev by Date: Re: Nautilus 3.2.1 and file associations
Next by Date: Re: Upgrading from Lenny to Squeeze
Previous by thread: Re: Full Disk Encryption
Next by thread: Re: Full Disk Encryption
Index(es):
- Date
- Thread