On Wed, Jul 19, 2006 at 09:31:19PM +0700, Dave Patterson wrote: > * [EMAIL PROTECTED] <[EMAIL PROTECTED]> [2006-07-19 12:02:42 -0000]: > > > Do I need to make an extra, unused partition when I install Debian on > > a new computer, before I try to use cryptsetup to add an encrypted > > filesystem? > > > It depends on how you want to do this. If you want a completely encrypted > filesystem with swap, yes. > > A how-to here: > > <http://www.debianhelp.org/node/1074> > > This one takes GRUB completely off the hard drive, and you boot Debian with > a USB key. Modify it according to your tastes.
As far as I know, the debian procedure requires encryption of whole filesystems. It is up to you how many of your partitions are encrypted. If you don't have at least one unencrypted filesystem on the disk then you will of course need some removable media to boot off. The /etc/crypttab file contains the list of encrypted filesystems to be configured (by default during boot) resulting in a new device with the unencrypted partition, which can then be mounted via an entry in /etc/fstab. In my opinion it is more secure to keep confidential data in a dedicated encrypted partition which is only initialised and mounted when really needed. If you are really paranoid, you can remove your network connection whenever the secred data is mounted. If you have the entire system encrypted and mount everything at boot, then your data is only safe with the computer is turned off. A hacker who gains root has everything... If you don't want to encrypt entire partitions, then look at CFS, which uses loopback NFS hooks to create personal encrypted file trees on a per user basis. Users can create their own encrypted directories without needing root access once it is installed. Regards, DigbyT -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]