Re: setting up partition before cryptsetup
- From: Digby Tarvin <digbyt@xxxxxxx>
- Date: Wed, 19 Jul 2006 17:37:10 +0100
On Wed, Jul 19, 2006 at 11:17:33PM +0700, Dave Patterson wrote:
* Digby Tarvin <digbyt@xxxxxxx> [2006-07-19 15:58:19 +0100]:
In my opinion it is more secure to keep confidential data in aThe flipside to that is the cracker that searches journals on journalled
dedicated encrypted partition which is only initialised and mounted
when really needed. If you are really paranoid, you can remove your
network connection whenever the secred data is mounted.
If you have the entire system encrypted and mount everything at boot,
then your data is only safe with the computer is turned off. A hacker
who gains root has everything...
filesystems for sensitive data (keys for encrypted partitions, even the
sensitive document itself).
A healthy dose of paranoia is in order here. Look at how you plan to
manage your encrypted data.
I'm not sure that I see how any of the sensitive data would find its way
into the journal of a an unencrypted filesystem? Unless of course
anyone were silly enough to copy stuff there...
Two extra caveats I neglected to mention is:
1. I create 'secure' users with home directories in the secure home
partition. When I access secure data, I mount the partition and
then have to log in as my secure alter-ego. This is very important
to ensure that your browser caches etc are also encrypted.
The secure users shouldn't have write access to any unencrypted
filesystem, including /tmp, to prevent inadvertant data compromise.
I use a swap backed memory based filesystem for /tmp - ramfs or tmpfs,
I can never remember which is which :-/
2. If the data is very sensitive, either encrypt your swap partition
or disable it when the secure partition is mounted.
Digby R. S. Tarvin digbyt(at)digbyt.com
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
- Prev by Date: Re: Union FS
- Next by Date: Re: dma errors
- Previous by thread: Re: setting up partition before cryptsetup
- Next by thread: Re: setting up partition before cryptsetup