On Fri, Oct 30, 2009 at 07:57:08PM -0400, Brad Tilley wrote:
> I wrote some notes on how I normally encrypt /home on OpenBSD laptops.
> I was hoping misc could read it and bash it around some. I'd like to
> know if I'm doing something wrong. No jokes about Beck's ass please :)
>
> http://16systems.com/openbsd_laptop_encryption.txt
Encrypting just /home is dangerous. Do you know where vi(1) keeps its
backup files? Are you *sure* that's the only application that works like
that? And that nothing ever uses /tmp?
Realistically, / cannot be encrypted since you need some files to boot,
and /usr can probably reasonably be kept unencrypted. Everything else -
/home, /tmp, /var - needs encryption (or not, but in that case nothing
does). You should also be careful to note that /root is not encrypted
under this scheme.
Joachim
