Top-post cause of BB :-( Private keys (if stored locally), for outgoing traffic, should reside in the users home-dir. Passwords should be replaced multi-factor strong auth's: card/token plus PIN. Any alterations of filesystem beyond /home can be detected+reported.
Full disc encryption on a athom demands some extra patience :-) ----- Oorspronkelijk bericht ----- Van: Bill Davidsen [mailto:david...@tmr.com] Verzonden: Saturday, June 29, 2013 10:07 PM W. Europe Standard Time Aan: Community support for Fedora users <users@lists.fedoraproject.org> Onderwerp: Re: retrofitting LUKS encryption on installed system j.witvl...@mindef.nl wrote: > -----Original Message----- > From: users-boun...@lists.fedoraproject.org > [mailto:users-boun...@lists.fedoraproject.org] On Behalf Of Fred Smith > Sent: Friday, June 28, 2013 3:42 PM > To: users@lists.fedoraproject.org > Subject: retrofitting LUKS encryption on installed system > > I've got a F19 installation that I'd like to turn into a fully encrypted > system with LUKS. > > There are many howtos on the web for encrypting a partition, but they > all show doing it to /home. > -----Original Message----- > > No, just re-install. > One partition with /boot and another with an encrypted volume-group, holding > /, swap and the rest. > > But before embarking on that trip, do you really need full disk encryption? > I mean, the content of /usr is on any fedora-cd ;-) And when up-and-running, > everything is unlocked. > > The only valid reason I can think about, is that other people have physically > access to your machine and could get root-access by booting from cd/dvd, and > might alter your system. > If they have secret access they can install evil devices, but if you are protecting against theft (laptops) or someone with a search warrant (NSA) comes and takes your drives. > It surely works, but at a performance price. And the certainty that you have > to enter the LUKS-key each time you boot. > The only safe place to store password info is in your head. If one other person has it it's not a secret, so you have to decide if losing the data is worse than having someone else get it. That's a policy decision, on-technical. > ______________________________________________________________________ > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet > de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt > u verzocht dat aan de afzender te melden en het bericht te verwijderen. De > Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die > verband houdt met risico's verbonden aan het electronisch verzenden van > berichten. > > This message may contain information that is not intended for you. If you are > not the addressee or if this message was sent to you by mistake, you are > requested to inform the sender and delete the message. The State accepts no > liability for damage of any kind resulting from the risks inherent in the > electronic transmission of messages. > -- Bill Davidsen <david...@tmr.com> "We have more to fear from the bungling of the incompetent than from the machinations of the wicked." - from Slashdot -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
