On Wed, Oct 29, 2008 at 02:56:53PM -0700, Ted Unangst wrote: > > >I think I want root to be able to mount/access the directories so that > >the data can be included in a backup set (which is then piped through > >openssl for encryption) on a file-by-file basis rather than just > >backing > >up a filesystem image and risking the whole thing if that image > >becomes > >corrupted. > > Most of your requests are pretty common and come up frequently enough > you should be able to find the answers, but this part makes me > wonder. So how does root have the key? Do you type it in everytime > you do a backup or is there a file called "dontreadthis" in /root?
Lets say the key is in a file. Lets encrypt that file with openssl and keep it in /root. Whoever runs the backup program is asked for the passphrase to unlock the file. The backup program then uses that file to mount the directories to back them up. > You could maybe do some tricks with cfs but it's a guaranteed shot in > the foot. > > >Ideas? What do others do to secure /home? > > I don't let people steal my computers. Of course there's the risk/benefit/cost analysis. Gun cabinets or safes bolted to the floor work but are expensive. I could get the same kind of deterrence if I installed a big rack-mount 12U server full of a dozen hard drives (think too heavy for one person to steal, assuming that they recognized it as a computer in the first place). Software encryption is free. Doug.