Le 28/06/2017 à 20:33, Rick Moen a écrit :
Quoting Didier Kryn (k...@in2p3.fr):
I don't see any reason to encrypt /usr. You might like to
encrypt /etc because it contains user names and (already encrypted)
passwords. But definitely there is no reason to encrypt everything.
/home would be where I keep anything that's sensitive. I'm unclear on
why usernames in /etc are deemed sensitive, but I'm sure needs differ.
Temporary files in /tmp are sometimes a little sensitive and sometimes
greatly so. (It's usually a tmpfs on my systems.) Operational paranoia
suggests keeping it at least cleaned up frequently, if you're going to
bother to have /home as a dmcrypt filesystem. That's where tmpfs is
actually helpful in the sense that erasure means a file from there is
truly gone.
Sure /home is the first place one thinks of encrypting and /tmp is
the second, together with possible other fancy dirs. Encrypting passwd
and the like would just add a little of security-through-obscurity by
even hiding the usernames; this is why I considered /etc as a third
(non-obvious) thing to encrypt; /etc also contains every local
configuration, and it might make sense to hide it all.
To simplify, all of /home and /tmp aren't really part of the OS.
The OS can boot without them. All the rest is the OS and is the same as
any other install of the same OS; and there isn't any reason to encrypt
something which is published and widespread.
Didier
_______________________________________________
Dng mailing list
Dng@lists.dyne.org
https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
