Hello, Am Donnerstag, 16. November 2006 20:21 schrieb Hans Witvliet: > It's been a while ago since i experimented with crypto (beginning > 10.1 ;-) > But from what i recollect... > 1) Using the general partitioner, with yast, results in a partition > that gets mounted at startup. works well, but the partition gets > mounted allways.
It should be possible to mark it as "mount by user" and/or "noauto" in YaST. (However, I never tried that.) > 2) Some people (not me) wants to encrypt EVERYTHING, inluding swap > and root. AFAIK, that is still not possible. It is possible - with the exception of /boot. http://tldp.org/HOWTO/Encrypted-Root-Filesystem-HOWTO/ > Perhaps its should be > pointed out, that it both a) irrelevant, and b) counter productive. > a) 90% on the harddisk is opensource and general available Well, encrypting _everything_ is really something that you need very rarely. However, it's important that you encrypt /tmp and (large parts of) /var because sooner or later your data "leaks out" to a tempfile or alike... Encrypted swap is also a good thing from the security point of view (you never know which of your data gets swapped out) - unfortunately it doesn't work with suspend2disk AFAIK. > b) encrypting cost cpu-cycles,so hard disk will be slowed down. Of course, but with today's CPUs I consider this a minor problem. Usually the harddisk performance is the limiting factor, not the CPU. > 3) best solution (imho) is to have for each individual user a > seperate container, which gets mounted on his home directory after > login (pam_mount) > > 4) for the the paranoia, have also /var/spool/mail en swap encrypted > Nothing else is worthwhile As already said: /tmp and parts of /var (like /var/tmp, /var/lib/mysql, ...) can also contain sensitive data. A simple example: Click any attachment in KMail - it will be saved to /tmp/kde-$user/... temporarily. My paranoia level ;-) is: I have symlinked most of /var to my encrypted partition - except for /var/log, /var/lock and /var/run which would need some more tuning. See https://bugzilla.novell.com/show_bug.cgi?id=140226 for details. > 5) for the super-paranoia, encrypt with the key from a smartcard. ;-) Regards, Christian Boltz -- "Hast du schon gehoert: Ein Bug im Netscape Navigator erlaubt es jedem, übers Internet deine Festplatte zu lesen." - "Weiss ich, deshalb bleibe ich ja auch bei Netscape - wenn's ein Microsoft-Bug waere, dann dürfte jeder meine Festplatte auch noch beschreiben..." --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
