On Fri, Nov 13, 2009 at 02:50:40PM +0100, elias r. wrote:
> Am 11/01/2009 09:36 AM, schrieb Joachim Schipper:
> >On Sat, Oct 31, 2009 at 09:52:06AM -0400, Brad Tilley wrote:
> >>On Sat, Oct 31, 2009 at 9:30 AM, Joachim Schipper
> >><joac...@joachimschipper.nl> wrote:
> >[My (Joachim's) message, snipped by Brat:
> >Encrypting just /home is dangerous. Do you know where vi(1) keeps its
> >backup files? Are you *sure* that's the only application that works like
> >that? And that nothing ever uses /tmp?
> >
> >Realistically, / cannot be encrypted since you need some files to boot,
> >and /usr can probably reasonably be kept unencrypted. Everything else -
> >/home, /tmp, /var - needs encryption (or not, but in that case nothing
> >does).]
> >>>You should also be careful to note that /root is not encrypted under this
> >>>scheme.
> >>
> >>The title says it all. Like most normal people, I keep data in /home.
> >>I don't care about meta data that might be in /tmp and I do not wish
> >>to encrypt /. This is not an effort to avoid law-enforcement or
> >>encrypt every bit on the disk, only to provide some privacy for the
> >>vast majority of my data should the laptop be lost or stolen and
> >>end-up in a pawn shop. Encrypting /home does that, nothing more.
> >
> >You snipped everything except a tangential note and then responded to
> >the rest of the message. Bad form.
> >
> >I can't tell whether you miss the point or are arguing that a 90%
> >solution is good enough.
> >
> >In the first case: try it. Run vi(1) on some file. Observe the file full
> >of zeroes in /var/tmp/vi.recover. Edit some stuff in the file. Observe
> >the file full of snippets of your original file in /var/tmp/vi.recover.
> >Generalize this behaviour to many other applications.
> >
> >In the second case: OpenBSD isn't about 90% solutions, and this sort of
> >thing is exactly why "HOWTO"-style documents are regarded with deep
> >suspicion here. If 90% is good enough for you, go ahead - but don't tell
> >others to do it that way. Not even with a huge flashing banner saying
> >'this is a bad idea' at the top.
> >
> > Joachim
> >
>
> Especially because OpenBSD isn't about 90% solutions i still don't
> understand why nobody seems to be interested in finding a solution for
> encrypting entire / (except sth like the /boot partition like it is in
> (yeah, i know...) linux + luks.
> E.g. certificates are normally stored in /etc and in most
> encryption-cases you would surely like to protect them, too.
What's the point of encrypting certificates? They only contain
information that is public.
-Otto
