Indeed I am. For several reasons. First off, it is the path of least resistance. If I LUKS encrypt the whole banana, I only need one passphrase or key file for the entire thing. If I have to manually decrypt a number of filesystems, I end up having to type multiple passphrases (best security practice says each should have a different passphrase). Yes, I know using keyfiles, I could work around this.
The second reason is that there are several places other than /home where data I would probably want to encrypt live. /etc comes to mind...And /root, on the same principle as encrypting /home...And if encrypting /var falls into the same logic (not encrypting such things as /var/log or /var/cache), then we should at least encrypt /var/lib, nominally /var/mail, and any other directories (e.g. subversion, mediawiki, mysql, etc). Plus if you put anything in /usr/local (opsview places its files there), since the encrypting /usr would include standard packages...Oh, and we should probably do /opt, since Nessus installs everything into that directory tree. So managing this would become a headache after a while, with each machine having its own individual list of encrypted directories. No, I just encrypt the entire thing and if I get some stuff that is standard, so be it. Besides, then it is only one encrypted portion to decrypt rather than 10 or 11. I'm not sure how much of a performance hit having separate directories encrypted as opposed to a single large one. Plus there is always the chance that you will miss something. It very quickly turns into a logistical nightmare that doesn't scale very well. That is the reason I encrypt the entire banana rather than trying to encrypt the peel. --b On Sat, Nov 26, 2011 at 11:49 AM, Curt <cu...@free.fr> wrote: > On 2011-11-26, Brad Alexander <stor...@gmail.com> wrote: > > > > Hi, > > > > I have been using full-disk encryption on my laptop for several years > over > > several laptops. My current one is a Dell Latitude E6500 with a 2.66GHz > > Core2Duo P9600 with 4GB of RAM, and the lag from encryption is not > > noticeable. > > There's something I'm not getting. You're encrypting the freely available, > open-source operating system? Why would anyone do that? > > Or is just to make it simpler, you encrypt the whole banana, even though > you don't care about the peel? > > I've been thinking about encrypting certain folders in my home directory > that contain sensitive information. Is there an easy way to do that? > > Well, forget it, I'm hijacking the thread. > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: > http://lists.debian.org/slrnjd2628.3g0.cu...@einstein.electron.org > >
