Re: setting up partition before cryptsetup
* Dave Patterson [EMAIL PROTECTED] [2006-07-19 21:31:19 +0700]: A how-to here: http://www.debianhelp.org/node/1074 Has been changed to: http://www.debianhelp.org/node/1116 -- Cheers, Dave signature.asc Description: Digital signature
Re: setting up partition before cryptsetup
* [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-07-19 12:02:42 -]: Do I need to make an extra, unused partition when I install Debian on a new computer, before I try to use cryptsetup to add an encrypted filesystem? It depends on how you want to do this. If you want a completely encrypted filesystem with swap, yes. A how-to here: http://www.debianhelp.org/node/1074 This one takes GRUB completely off the hard drive, and you boot Debian with a USB key. Modify it according to your tastes. -- Cheers, Dave signature.asc Description: Digital signature
Re: setting up partition before cryptsetup
On Wed, Jul 19, 2006 at 09:31:19PM +0700, Dave Patterson wrote: * [EMAIL PROTECTED] [EMAIL PROTECTED] [2006-07-19 12:02:42 -]: Do I need to make an extra, unused partition when I install Debian on a new computer, before I try to use cryptsetup to add an encrypted filesystem? It depends on how you want to do this. If you want a completely encrypted filesystem with swap, yes. A how-to here: http://www.debianhelp.org/node/1074 This one takes GRUB completely off the hard drive, and you boot Debian with a USB key. Modify it according to your tastes. As far as I know, the debian procedure requires encryption of whole filesystems. It is up to you how many of your partitions are encrypted. If you don't have at least one unencrypted filesystem on the disk then you will of course need some removable media to boot off. The /etc/crypttab file contains the list of encrypted filesystems to be configured (by default during boot) resulting in a new device with the unencrypted partition, which can then be mounted via an entry in /etc/fstab. In my opinion it is more secure to keep confidential data in a dedicated encrypted partition which is only initialised and mounted when really needed. If you are really paranoid, you can remove your network connection whenever the secred data is mounted. If you have the entire system encrypted and mount everything at boot, then your data is only safe with the computer is turned off. A hacker who gains root has everything... If you don't want to encrypt entire partitions, then look at CFS, which uses loopback NFS hooks to create personal encrypted file trees on a per user basis. Users can create their own encrypted directories without needing root access once it is installed. Regards, DigbyT -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: setting up partition before cryptsetup
* Digby Tarvin [EMAIL PROTECTED] [2006-07-19 15:58:19 +0100]: In my opinion it is more secure to keep confidential data in a dedicated encrypted partition which is only initialised and mounted when really needed. If you are really paranoid, you can remove your network connection whenever the secred data is mounted. If you have the entire system encrypted and mount everything at boot, then your data is only safe with the computer is turned off. A hacker who gains root has everything... The flipside to that is the cracker that searches journals on journalled filesystems for sensitive data (keys for encrypted partitions, even the sensitive document itself). A healthy dose of paranoia is in order here. Look at how you plan to manage your encrypted data. -- Cheers, Dave signature.asc Description: Digital signature
Re: setting up partition before cryptsetup
On Wed, Jul 19, 2006 at 11:17:33PM +0700, Dave Patterson wrote: * Digby Tarvin [EMAIL PROTECTED] [2006-07-19 15:58:19 +0100]: In my opinion it is more secure to keep confidential data in a dedicated encrypted partition which is only initialised and mounted when really needed. If you are really paranoid, you can remove your network connection whenever the secred data is mounted. If you have the entire system encrypted and mount everything at boot, then your data is only safe with the computer is turned off. A hacker who gains root has everything... The flipside to that is the cracker that searches journals on journalled filesystems for sensitive data (keys for encrypted partitions, even the sensitive document itself). A healthy dose of paranoia is in order here. Look at how you plan to manage your encrypted data. I'm not sure that I see how any of the sensitive data would find its way into the journal of a an unencrypted filesystem? Unless of course anyone were silly enough to copy stuff there... Two extra caveats I neglected to mention is: 1. I create 'secure' users with home directories in the secure home partition. When I access secure data, I mount the partition and then have to log in as my secure alter-ego. This is very important to ensure that your browser caches etc are also encrypted. The secure users shouldn't have write access to any unencrypted filesystem, including /tmp, to prevent inadvertant data compromise. I use a swap backed memory based filesystem for /tmp - ramfs or tmpfs, I can never remember which is which :-/ 2. If the data is very sensitive, either encrypt your swap partition or disable it when the secure partition is mounted. Regards, DigbyT -- Digby R. S. Tarvin digbyt(at)digbyt.com http://www.digbyt.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
