I'll be setting up a new box for the house and I want to use OpenBSD for
it, both for its security and since it will be an older box it will run
better than with Debian.
Roles:
main firewall for dialup internet access.
fetchmail and sendmail to ISP smarthost
other simple stuff (have another box for insecure stuff like watching
videos, surfing the net with javascript and flash).
We've moved and now our main security threat is physical security. We
don't want the data on the computer (i.e. in the /home directories) to
be readable if someone steals the box.
I'm thinking I could go two routes:
1. encrypt all of /home with an encrypted virtualfs file. However,
then the data is unencrypted whenever the box is powered on.
2. I wonder if there's a way to have per-user home directory
encryption so that the user's directory is accessed/unencrypted/mounted
(whatever the semantics) on login and recrypted/unmounted on logout.
Have swap and /tmp encrypted too. Also, perhaps per-user $TMP
directories if go with plan 2, above.
I think I want root to be able to mount/access the directories so that
the data can be included in a backup set (which is then piped through
openssl for encryption) on a file-by-file basis rather than just backing
up a filesystem image and risking the whole thing if that image becomes
corrupted.
Ideas? What do others do to secure /home? I read on undeadly an idea
of putting the /home filesystem on a removable drive and putting it into
a safe but then you have to have the safe mounted securely.
Doug.
