On Mon 01 Jul 2019 at 15:56:14 (-0400), Gene Heskett wrote: > On Monday 01 July 2019 09:33:35 David Wright wrote: > > On Mon 01 Jul 2019 at 06:05:52 (-0400), Gene Heskett wrote: > > > On Monday 01 July 2019 03:52:55 Jonathan Dowland wrote: > > > > On Sun, Jun 30, 2019 at 12:45:57PM -0400, Gene Heskett wrote: > > > > >At this point, I'd call it a buster delaying bug. That last is > > > > > going to cost too many that can't ignore it and don't have > > > > > unencrypted backups. Thats going to be a lot of very bad PR. > > > > > > > > It's the release teams call, generally speaking, and one of the > > > > things they might factor in is the size of the user-base for the > > > > troublesome package. I'm surprised to find that it's extremely > > > > small according to popcon data: less than 1% of reporters: > > > > https://qa.debian.org/popcon.php?package=ecryptfs-utils > > > > > > > > Compare just two alternatives: > > > > > > > > encfs: 1.14% https://qa.debian.org/popcon.php?package=encfs > > > > cryptsetup: 15% > > > > https://qa.debian.org/popcon.php?package=cryptsetup > > > > > > That does put a better light on it. From the comments so far, I was > > > thinking I'm one of the few not using it. I've depended on dd-wrt > > > between me and the internet for the last 16 years, and even before > > > that I was on dialup and the dialup folks didn't have enough > > > bandwidth to attract the black hats, so I've never been touched. > > > > I was under the impression that these two forms of security, firewalls > > and encryption, are completely orthogonal. Once you've unlocked, say, > > an encrypted partition, you're now reliant on the firewall to keep > > strangers out of your files. OTOH a perfect firewall is of no benefit > > when your laptop is stolen. > > > > > With all the publicity this thread has given the issue, I'll change > > > my mind (as if it matters to the team :) and say adequate notice and > > > mitigating paths seems to have been given. Those that are using it > > > I'd call pretty advanced and are reading this list just for the > > > notices given so they shouldn't be surprised. So I'll do an Andy > > > Capp and shuddup. > > > > The grey area is for me is the relative benefit of encrypting file by > > file compared with the whole partition. Assuming that there's just one > > passphrase involved in each scenario, is more protection given by the > > former method? After all, once a partition is unlocked, all users on > > the system are able to read all the files, subject to the normal unix > > permissions, ACLs, etc. > > Whole filesystem encryption would be a total non-starter for me.
Fair enough. Could you reveal why, or are your reasons cryptic too? > File by > file with different passwd's according to whats in the file would make > far more sense to me. Thats my $0.02. I can't see how anyone would cope with a scheme like that. How would you remember all those passwords? OTOH I can see that each file must have an individual encryption key, but the encryption scheme looks after generating those. Otherwise you would have a large sample of encrypted but known-cleartext files available for cracking attempts. (Remember that the filenames are not encrypted, and many files on a system will have entirely predictable contents, eg much of /usr, your Debian package cache, and so on. Cheers, David.
