Fred Smith wrote:
On Fri, Jun 28, 2013 at 05:21:34PM +0200, J.Witvliet(a)mindef.nl
wrote:
> -----Original Message-----
> From: users-bounces(a)lists.fedoraproject.org
[mailto:users-bounces@lists.fedoraproject.org] On Behalf Of Fred Smith
> Sent: Friday, June 28, 2013 3:42 PM
> To: users(a)lists.fedoraproject.org
> Subject: retrofitting LUKS encryption on installed system
>
> I've got a F19 installation that I'd like to turn into a fully encrypted
> system with LUKS.
>
> There are many howtos on the web for encrypting a partition, but they
> all show doing it to /home.
> -----Original Message-----
>
> No, just re-install.
> One partition with /boot and another with an encrypted volume-group, holding /, swap
and the rest.
>
> But before embarking on that trip, do you really need full disk encryption?
> I mean, the content of /usr is on any fedora-cd ;-) And when up-and-running,
everything is unlocked.
>
> The only valid reason I can think about, is that other people have physically access
to your machine and could get root-access by booting from cd/dvd, and might alter your
system.
Well, I have employer VPN information, ssh keys allowing me to ssh into
my own home system, and sometimes customer's VPN (and possibly other)
information on it too, so for all those reasons it has seemed like encrypting
the whole thing would make sense.
Before you move heaven and earth to encrypt everything, is the data small and
all in one directory? Sounds like it, you could use the encfs FUSE module to
have just the one directory encrypted. That has a provision to unmount if the
directory is unused for a time, which addresses "when up-and-running, everything
is unlocked" you mentioned. A few minutes after you give the password, if you
don't use the data it unmounts.
Fred
--
Bill Davidsen <davidsen(a)tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot