Douglas A. Tutty wrote: > On Wed, Apr 08, 2009 at 11:26:20AM -0400, H.S. wrote: >> Douglas A. Tutty wrote: >>> On Tue, Apr 07, 2009 at 06:17:56PM -0400, H.S. wrote: >>>> Douglas A. Tutty wrote: >>>>> On Tue, Apr 07, 2009 at 05:46:31PM -0400, H.S. wrote: >>>>>> Douglas A. Tutty wrote: > >>> $ cat /proc/swaps: >>> Filename Type Size Used Priority >>> /dev/mapper/sda2_crypt partition 979956 0 -1 >>> >>> $ mount | grep -i /tmp >>> /dev/mapper/sdb1_crypt on /var/tmp type ext3 (rw,data=journal) >>> tmpfs on /tmp type tmpfs (rw,size=500m) > >>> There are a limited number of place where a piece of software can leak >>> info: >>> >>> 1. to /tmp: Its encrypted >>> 2. to /var/tmp: Its encrypted >>> 3. to somewhere on ~/ I have /home encrypted >>> 4. left in swap its encrypted >>> 5. in a core dump after a crash: use ulimit (see man bash) to >>> limit core dump size to 0 >>> >>> Of course, the uncrypted data is in memory, so anything that can read >>> any memory segment can read your data. > > >> I am curious, what is the performance cost to have your ~/ and /tmp and >> /swap encrypted? What kind of machine are you using? > > I see no performance cost and I've done this on a PII-233 on old IDE > disks and now on a PII-450 with two SCSI disks. > > Think of it this way: Data has to go out to disk. That takes a lot of > time compared to moving data in the memory. It doesn't take that much > time to start the encryption process (which can continue while the data > is streaming to the disk). I'm sure its more complex than this, but > that's the idea. > > If I want to have the fastest streaming possible, I'll have a > non-encrypted partition in a convenient spot, say /var/local/cache but > I've found that I haven't had a problem without it. I suppose it may be > important if you're doing streaming video or something, but you'd want a > separate raid array for that anyway. > >> Also, since you have to use mount, which requires root privileges, the >> above method is not possible for a normal (non-root) user, is it? > > These partitions are all mounted on boot. I set up the encrypted > partitions during the install (Etch). Here's fstab: > <SNIP> > > Thus, its totally transparent to the normal user. I have to enter the > pass phrases at boot; I've been too lazy to set it up to only require > one, so I have to do it three times (one for each encrypted partition) > (swap doesn't need a passphrase). LUKS is flexible enough that you > could use a USB key if you like. > > Doug. > >
Great! Thanks. -- Please reply to this list only. I read this list on its corresponding newsgroup on gmane.org. Replies sent to my email address are just filtered to a folder in my mailbox and get periodically deleted without ever having been read. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
