encrypted root filesystem

Ryan.Oliver at pha.com.au Ryan.Oliver at pha.com.au
Mon Feb 23 16:59:28 PST 2004






I agree with encrypted filesystems, but honestly encrypting the root
filesystem is horribly unwieldly.

Data should be encrypted, it isn't necessary to encrypt standard
system binaries, libraries et al.

In fact you could argue that (as appears to have been argued already)
by encrypting these known files you are supplying a crib if you are
using a known distro of a known patch level.
(for us it would be a hell of a lot harder due to everyone compiling
from scratch)

The speed tradeoff of an encrypted root is *significant* .

Encryption is best placed where it is needed, say home dirs,
protected system areas for admin/devel tools you don't want lying
around (c-compilers, linkers et al + system include dirs), data
partitions (even database partitions if you can handle the IO slowdown, if
not application level encryption would be preferred).

This saves a hell of a lot of IO overhead, while protecting your
sensitive material. Best of both worlds.

[R]




More information about the hlfs-dev mailing list