On Sat, Oct 31, 2009 at 09:52:06AM -0400, Brad Tilley wrote:
> On Sat, Oct 31, 2009 at 9:30 AM, Joachim Schipper
> <joac...@joachimschipper.nl> wrote:
[My (Joachim's) message, snipped by Brat:
Encrypting just /home is dangerous. Do you know where vi(1) keeps its
backup files? Are you *sure* that's the only application that works like
that? And that nothing ever uses /tmp?
Realistically, / cannot be encrypted since you need some files to boot,
and /usr can probably reasonably be kept unencrypted. Everything else -
/home, /tmp, /var - needs encryption (or not, but in that case nothing
does).]
> > You should also be careful to note that /root is not encrypted under this
> > scheme.
>
> The title says it all. Like most normal people, I keep data in /home.
> I don't care about meta data that might be in /tmp and I do not wish
> to encrypt /. This is not an effort to avoid law-enforcement or
> encrypt every bit on the disk, only to provide some privacy for the
> vast majority of my data should the laptop be lost or stolen and
> end-up in a pawn shop. Encrypting /home does that, nothing more.
You snipped everything except a tangential note and then responded to
the rest of the message. Bad form.
I can't tell whether you miss the point or are arguing that a 90%
solution is good enough.
In the first case: try it. Run vi(1) on some file. Observe the file full
of zeroes in /var/tmp/vi.recover. Edit some stuff in the file. Observe
the file full of snippets of your original file in /var/tmp/vi.recover.
Generalize this behaviour to many other applications.
In the second case: OpenBSD isn't about 90% solutions, and this sort of
thing is exactly why "HOWTO"-style documents are regarded with deep
suspicion here. If 90% is good enough for you, go ahead - but don't tell
others to do it that way. Not even with a huge flashing banner saying
'this is a bad idea' at the top.
Joachim
