Mailinglist Archive: opensuse-factory (1165 mails)

< Previous Next >
Re: [opensuse-factory] topics next dist meeting
  • From: Christian Boltz <opensuse@xxxxxxxxx>
  • Date: Thu, 16 Nov 2006 21:30:47 +0100
  • Message-id: <200611162130.48369@xxxxxxxxxxxxxxx>
Hello,

Am Donnerstag, 16. November 2006 20:21 schrieb Hans Witvliet:
> It's been a while ago since i experimented with crypto (beginning
> 10.1 ;-)
> But from what i recollect...
> 1) Using the general partitioner, with yast, results in a partition
> that gets mounted at startup. works well, but the partition gets
> mounted allways.

It should be possible to mark it as "mount by user" and/or "noauto" in
YaST. (However, I never tried that.)

> 2) Some people (not me) wants to encrypt EVERYTHING, inluding swap
> and root. AFAIK, that is still not possible.

It is possible - with the exception of /boot.
http://tldp.org/HOWTO/Encrypted-Root-Filesystem-HOWTO/

> Perhaps its should be
> pointed out, that it both a) irrelevant, and b) counter productive.
> a) 90% on the harddisk is opensource and general available

Well, encrypting _everything_ is really something that you need very
rarely. However, it's important that you encrypt /tmp and (large parts
of) /var because sooner or later your data "leaks out" to a tempfile or
alike...

Encrypted swap is also a good thing from the security point of view (you
never know which of your data gets swapped out) - unfortunately it
doesn't work with suspend2disk AFAIK.

> b) encrypting cost cpu-cycles,so hard disk will be slowed down.

Of course, but with today's CPUs I consider this a minor problem.
Usually the harddisk performance is the limiting factor, not the CPU.

> 3) best solution (imho) is to have for each individual user a
> seperate container, which gets mounted on his home directory after
> login (pam_mount)
>
> 4) for the the paranoia, have also /var/spool/mail en swap encrypted
> Nothing else is worthwhile

As already said: /tmp and parts of /var (like /var/tmp, /var/lib/mysql,
...) can also contain sensitive data. A simple example: Click any
attachment in KMail - it will be saved to /tmp/kde-$user/...
temporarily.

My paranoia level ;-) is:
I have symlinked most of /var to my encrypted partition - except
for /var/log, /var/lock and /var/run which would need some more tuning.
See https://bugzilla.novell.com/show_bug.cgi?id=140226 for details.

> 5) for the super-paranoia, encrypt with the key from a smartcard.

;-)


Regards,

Christian Boltz
--
"Hast du schon gehoert: Ein Bug im Netscape Navigator erlaubt es jedem,
übers Internet deine Festplatte zu lesen." - "Weiss ich, deshalb bleibe
ich ja auch bei Netscape - wenn's ein Microsoft-Bug waere, dann dürfte
jeder meine Festplatte auch noch beschreiben..."
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups