On Mon, 2006-06-19 at 13:41 -0400, jfweber@gilweber.com wrote:
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
My only complaint is, I would like an inconized program that asks for the key so I don't have to enter it each time I boot (only if I am going into the encrypted partition.) Oh yes, we run 2 networks (internal ops and the internet).
I agree w/ everything here. It's the biggest complaint I get, "it's too much bother to have to type the password again etc. " However I am slowly getting my point across. Next laptop I get to "play w/ " I am going to encrypt the boot record as someone suggested in a past discussion to see if it works. i.e. no passphase or password = no boot, that should keep my company stuff at least a bit slower for a vandal.
I too prefer passphrases. But I'm still having problems getting this group to encrypt their email. I am working on "making it happen", but some in this group are really hard heads, and "we've *always* done it this way" seems to be a magic bullet ,I have yet to dodge, completely. Keeping the discussion open is the best I can do so far.
Again, real life examples do me the most good here. Just got an agreement to insist any windows computer must not be able to reach the internet, nor be reachable thru the network which *does* reach the internet. That small "victory" (??!) was more than 3 years in the making.
I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>)
No I don't contemplate ever going big enough to get anything back.. it's just like the Reichians "thought murder a day keeps the doctor away " I know, I know it conflicts w/ the universes unintended consequenses, but at the moment, I can't reach a teacher so, I must blunder onward in hope that the grace I have reached will keep me from doing anything insanely stupid.
I wouldn't wish current circumstances on ANYONE.
We don't do windows except for vertical market packages on a dedicated computer without a network connection.
Bless you for this information, it finally nailed down my problem w/ windows legacy stuff.. I at least have that done now. Even better, since we are consultants, it will be policy to tell our clients how to do this and eventually get to a safe way to keep information that , for sure no one wants to see on the net. Not just credit card info is a problem.
Some points to think about: What is the advantage of encrypting the whole drive? the O.S. is open source, no secrets there to be found. Just have some area's strongly encrypted. Each with a different passphrase. Passwords/passphrases only needed when you access that specific area. Or is the entire filesystem littered with sensitive data?? Limit the amount of time the vault is uncrypted, specially if "other" people in your company have su-access, and the system is connected to any network. => Don't trust admins, they are usualy underpaid. <= If you want it stronger, use smartcard with 2K-key length with pin-code afaik opensc & openct are part of the distro When you have an T43, you can opt for three-factor security: Smartcard + fingerprint + pin And to avoid people leaving the card in the machine, use the same card you need to get in/out/around the building ;-)) And a screenlock with minimum delay... Hans
-- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com