Hello, Am Donnerstag, 16. November 2006 20:21 schrieb Hans Witvliet:
It's been a while ago since i experimented with crypto (beginning 10.1 ;-) But from what i recollect... 1) Using the general partitioner, with yast, results in a partition that gets mounted at startup. works well, but the partition gets mounted allways.
It should be possible to mark it as "mount by user" and/or "noauto" in YaST. (However, I never tried that.)
2) Some people (not me) wants to encrypt EVERYTHING, inluding swap and root. AFAIK, that is still not possible.
It is possible - with the exception of /boot. http://tldp.org/HOWTO/Encrypted-Root-Filesystem-HOWTO/
Perhaps its should be pointed out, that it both a) irrelevant, and b) counter productive. a) 90% on the harddisk is opensource and general available
Well, encrypting _everything_ is really something that you need very rarely. However, it's important that you encrypt /tmp and (large parts of) /var because sooner or later your data "leaks out" to a tempfile or alike... Encrypted swap is also a good thing from the security point of view (you never know which of your data gets swapped out) - unfortunately it doesn't work with suspend2disk AFAIK.
b) encrypting cost cpu-cycles,so hard disk will be slowed down.
Of course, but with today's CPUs I consider this a minor problem. Usually the harddisk performance is the limiting factor, not the CPU.
3) best solution (imho) is to have for each individual user a seperate container, which gets mounted on his home directory after login (pam_mount)
4) for the the paranoia, have also /var/spool/mail en swap encrypted Nothing else is worthwhile
As already said: /tmp and parts of /var (like /var/tmp, /var/lib/mysql, ...) can also contain sensitive data. A simple example: Click any attachment in KMail - it will be saved to /tmp/kde-$user/... temporarily. My paranoia level ;-) is: I have symlinked most of /var to my encrypted partition - except for /var/log, /var/lock and /var/run which would need some more tuning. See https://bugzilla.novell.com/show_bug.cgi?id=140226 for details.
5) for the super-paranoia, encrypt with the key from a smartcard.
;-) Regards, Christian Boltz -- "Hast du schon gehoert: Ein Bug im Netscape Navigator erlaubt es jedem, übers Internet deine Festplatte zu lesen." - "Weiss ich, deshalb bleibe ich ja auch bei Netscape - wenn's ein Microsoft-Bug waere, dann dürfte jeder meine Festplatte auch noch beschreiben..." --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org