On Mon, Feb 21, 2011 at 2:00 AM, Heddle Weaver <[email protected]>wrote:
> > > On 21 February 2011 15:32, Erwan David <[email protected]> wrote: > >> On 21/02/11 05:05, Ron Johnson wrote: >> > On 02/20/2011 09:46 PM, Heddle Weaver wrote: >> >> Greetings all, >> >> >> >> looking at the collective knowledge factor, what's the best disc >> >> encryption package? >> > >> > Do you want to encrypt *everything* of just a few folders? >> > > Everything, including swap. > Like Erwan, I use cryptsetup/LUKS. Doing so through the installer will allow/require you to encrypt swap. However, you will be unable to encrypt /boot. The boot manager will need to access /boot to be able to access cryptsetup to decrypt the filesystems. That said, if you don't want a decrypted /boot living on your hard drive, you can insert a thumb drive (512MB-1GB if you can find one that small) during install and configure it as /boot. Have a backup stick and regularly rsync it to account for updated packages, etc as well as in case the first drive fails. I have done this on a couple of laptops. > > >> >> What's everybody using? >> >> Two examples of Xzibit this week and hash changes showing up in the >> >> logs. >> > > Also, please remember, when the system is running, the filesystem is *decrypted*. Encryption is not going to protect you when the system is running. I am not familiar with the xzibit rootkit, but you should probably be looking more toward an IDS/IPS (intrusion detection/prevention system), such as snort, ossec, etc rather than encryption as your defense...try and have multiple layers of security, so that bypassing one will trigger another. --b
