Mike Noyes wrote: > Everyone, > Do we gain anything by encrypting the device leaf is installed on? > > Example: kernel 2.6 on usb-hdd flash drive encrypted with > cryptsetup or dm-crypt. > >
Its actually something that could be useful. In some situations it can be hard/impossible to physically secure the computer good enough. When the OS (and the passwords) are all stored on a floppy, it is relatively easy to remove the floppy, make a copy of it at home and reinsert it again without anyone noticing anything. Then you have time to decrypt the passwords at home (until next time the password is changed) If the device where /etc/passwd or /etc/shadow is encrypted, its harder doing things like that. (I have actually seen homemade installers that create a file with the default password in clear text on the floppy...) But the OS and software itself is available on internet so there is generally no need to encrypt that. Other things that probably is more interesting is when you have a data disk connected to your box and run some kind of service (samba/nfs/ldab/sql/torrent/whatever) where the data is encrypted. Run The OS from USB and have only your data storage on disk, encrypted with dm-crypt. When the police/dictator government/employer/parents/<enter your favorite fear here> comes running into your house, you just grab your usb stick, unplug the power to the server (please remeber to unplug the correct cable if you use UPS) and jump out of the window (or eat your cyanid pill - but them please remeber to destroy the USB stick *before* you take the pill). When they examine the disk(s) afterwards it pretty difficult to find out what was on the disk or if there were anything at all. But that kind of things is normally not for normal people. :-) > Just something I've been thinking about since I started mentioning 2.6 > and usb-hdd. I'm probably off on a useless tangent again. :-( > Its important that people can feel free to through out new ideas, even if not all are good. Using dm-crypt (or other dm-devices) is actually an interesting topic. I have been thinking of file/web/database/DNS servers where the OS is booted from cdrom or usb into ram (LEAF style) and with a data disk mounted for the data. This has a few interesting benefits: you prefetch all the services to RAM = super fast reponse times. (you might need more RAM but with tmpfs its not much space wasted) Easy to install. If you need to move to another hardware, just unplug the usb/cdrom and put it in new hardware and you are more or less up and running again. Of course there are interesting combinations with dm-crypt and stuff like that, like mentioned above. However, I believe that falls outside the scope of uclibc-bering - with good reasons. More realistic interesting things with 2.6 kernel is the new ipsec stack. http://www.shorewall.net/IPSEC-2.6.html -- Natanael Copa ------------------------------------------------------- This SF.Net email is sponsored by xPML, a groundbreaking scripting language that extends applications into web and mobile media. Attend the live webcast and join the prime developer group breaking into this new coding territory! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642 _______________________________________________ leaf-devel mailing list leaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-devel