On 11/08/2014 10:09 AM, listreader wrote:
On Sat, 08 Nov 2014 11:35:28 -0500 Anton Aylward
wrote: But I don't encrypt data on static machines. (usually)
An encrypted FS or data store that is available in the clear while the system is booted anyway makes no sense to me. It only makes sense if the machine itself is physically insecure, that the drive could be stolen. And not really even then; if the machine is physically insecure the whole thing could be stolen, and booted, or the data extracted while the machine was running, or, given physical access, a keystroke recorder could be plugged in.
Well, it depends on WHO you are trying to protect your data from. In my case, I live in the very rural South of the USA. The "threat" to my data is primarily not from government spooks or knowledgeable hackers but instead from common criminals. While I am home on my property they are no threat, we are all armed here and protected by the "castle doctrine", i.e. you come on my property uninvited I can take you out, no questions to be answered afterwards. But, when I travel and property is vacant for more than a few days, it is another story. No one would hear a burglar alarm going off, and silent alarms are not useful when the responding sheriff might be 30 minutes or more away on the other side of the county when needed. So, you do all you can to protect your property and that includes protecting your data should the criminal gain actual access into your buildings and steal your machines. LUKS works fine to protect data on shut-down machines.
Then there's the issue of backups. Are they done of the encrypted FS or are they done of the running, unencrypted FS? Are the backups, which are not on portable media, encrypted and/or physically protected?
My backups are done from the running unencrypted fs, and onto LUKS encrypted USB sticks (full backups) or LUKS encrypted SD cards (incrementals). Works for me.
Ralph
I worry about my traveling laptop. That's far more likely to get stolen than something from my home. I encrypt my /home and proprietary data/code directories for my day job. I also use ddclient to map a both my internal and external IP to a dynamic dns provider. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org