encrypted root filesystem

Dagmar d'Surreal dagmar.wants at nospam.com
Mon Feb 23 13:54:22 PST 2004


On Mon, 2004-02-23 at 15:13, Ian Molton wrote:
> On Mon, 23 Feb 2004 16:10:00 -0500
> Robert Connolly <cendres at videotron.ca> wrote:
> 
> > The Encrypted-Root-Filesystem-HOWTO doesn't encrypted the partition table. 
> 
> encrypted filesystems are stupid.

No, they're not.  You should be ashamed of yourself for posting such a
comment.

Now, on the politically incorrect side of things, I will freely admit
that a lot of the people deploying them are just _idiots_ and are doing
so instead of spending money on putting their equiment into a
co-location facility with decent physical security.  However, there are
a lot of places where an encrypted filesystem makes sense because
increasing physical security isn't really possible... 

College dorms are really bad for physical security (among other reasons)
since often there's only a limited number of keys per building, and one
person's key may open more than one room.  If a college student is using
eBay or Paypal or doing their banking online, a stolen computer could
lead to serious problems.  Laptops are a hot item for easy theft, and
it's not always just the hardware that's the reason these get
pinched--industrial espionage actually does happen every day.  (Someone
slipping in to install a keystroke logger while someone else is away
won't be very happy about it if the filesystem is being decrypted at
boot time.)

Some people may wish to keep their diaries on their computer, and they
might (gosh, I can't imagine why) want to keep that private.  Mounting
an encrypted filesystem over loopback in userspace is pretty easy, and
overall a little less effort than repeatedly using gnupg or similar to
encrypt each entry.  

Oppressive political regimes are a _serious_ problems in more parts of
the world than most people realize, and anyone involved in something
their government (or a neighboring government) wouldn't approve of can
make use of an encrypted filesystem to decrease the possibility that
their communications won't be compromised by one person and their
computer getting nabbed.

For that last group in particular, it's good that some people who don't
have a life-threatening need for an efs will be using them, because the
more people that use encrypted filesystems means that there's more
people to notice bugs, and document how they set theirs up so that
others can follow in their footsteps--and just like encrypted mail, the
more of it that goes on, the less the presence of encryption becomes an
automatic indicator of wrongdoing from the viewpoint of the oppressors.
-- 
The email address above is phony because my penis is already large enough, kthx. 
              AIM: evilDagmar  Jabber: evilDagmar at jabber.org




More information about the hlfs-dev mailing list