Am 11/01/2009 09:36 AM, schrieb Joachim Schipper:
On Sat, Oct 31, 2009 at 09:52:06AM -0400, Brad Tilley wrote:
On Sat, Oct 31, 2009 at 9:30 AM, Joachim Schipper
<joac...@joachimschipper.nl> wrote:
[My (Joachim's) message, snipped by Brat:
Encrypting just /home is dangerous. Do you know where vi(1) keeps its
backup files? Are you *sure* that's the only application that works like
that? And that nothing ever uses /tmp?
Realistically, / cannot be encrypted since you need some files to boot,
and /usr can probably reasonably be kept unencrypted. Everything else -
/home, /tmp, /var - needs encryption (or not, but in that case nothing
does).]
You should also be careful to note that /root is not encrypted under this
scheme.
The title says it all. Like most normal people, I keep data in /home.
I don't care about meta data that might be in /tmp and I do not wish
to encrypt /. This is not an effort to avoid law-enforcement or
encrypt every bit on the disk, only to provide some privacy for the
vast majority of my data should the laptop be lost or stolen and
end-up in a pawn shop. Encrypting /home does that, nothing more.
You snipped everything except a tangential note and then responded to
the rest of the message. Bad form.
I can't tell whether you miss the point or are arguing that a 90%
solution is good enough.
In the first case: try it. Run vi(1) on some file. Observe the file full
of zeroes in /var/tmp/vi.recover. Edit some stuff in the file. Observe
the file full of snippets of your original file in /var/tmp/vi.recover.
Generalize this behaviour to many other applications.
In the second case: OpenBSD isn't about 90% solutions, and this sort of
thing is exactly why "HOWTO"-style documents are regarded with deep
suspicion here. If 90% is good enough for you, go ahead - but don't tell
others to do it that way. Not even with a huge flashing banner saying
'this is a bad idea' at the top.
Joachim
Especially because OpenBSD isn't about 90% solutions i still don't
understand why nobody seems to be interested in finding a solution for
encrypting entire / (except sth like the /boot partition like it is in
(yeah, i know...) linux + luks.
E.g. certificates are normally stored in /etc and in most
encryption-cases you would surely like to protect them, too.
greetings,
Elias
