On Thursday 06 August 2009 04:16:42 Siggy Brentrup wrote:
> On Tue, Aug 04, 2009 at 18:50 -0500, line...@halo.nu wrote:
> > Hi -
> >
> > I have a Debian Etch system which I recently upgraded to v5.0.2.
> > The file system was encrypted with LUKS at install time.
>
> Please bear with me, I'm asking this out of curiousity. Why did you
> encrypt the full root FS? I can understand that you want your $HOME
> encrypted, to a lesser degree I can follow you even with /etc, /tmp
> and /var, but why do you take the performance penalty on publically
> available stuff?
I'm not the OP, but we do this at work because of policy --
we require full-disk encryption for portable systems, and
the dm-crypt scheme doing everything except /boot is considered
acceptable under the guidelines.
I think the policy is this way partially because it's an
easy line to draw, and doesn't involve a lot of guesswork.
There can also be "leakage" out of your home directory --
applications sometimes store lists of recently-viewed
documents in /var, and of course the system logs are
in /var/log, plus there are dynamic entries in some
config files, which might expose details of your network
enviornment -- where are *your* WPA credentials cached?
So, encrypting as much as you can meets the confidentially
need in an easy-to-describe, easy-to-enforce, and relatively
easy-to-implement way.
-- A.
--
Andrew Reid / rei...@bellatlantic.net
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
