Top-post cause of BB :-(
Private keys (if stored locally), for outgoing traffic, should reside in the users
Passwords should be replaced multi-factor strong auth's: card/token plus PIN.
Any alterations of filesystem beyond /home can be detected+reported.
Full disc encryption on a athom demands some extra patience :-)
----- Oorspronkelijk bericht -----
Van: Bill Davidsen [mailto:email@example.com]
Verzonden: Saturday, June 29, 2013 10:07 PM W. Europe Standard Time
Aan: Community support for Fedora users <users(a)lists.fedoraproject.org>
Onderwerp: Re: retrofitting LUKS encryption on installed system
[mailto:firstname.lastname@example.org] On Behalf Of Fred Smith
Sent: Friday, June 28, 2013 3:42 PM
Subject: retrofitting LUKS encryption on installed system
I've got a F19 installation that I'd like to turn into a fully encrypted
system with LUKS.
There are many howtos on the web for encrypting a partition, but they
all show doing it to /home.
No, just re-install.
One partition with /boot and another with an encrypted volume-group, holding /, swap and
But before embarking on that trip, do you really need full disk encryption?
I mean, the content of /usr is on any fedora-cd ;-) And when up-and-running, everything
The only valid reason I can think about, is that other people have physically access to
your machine and could get root-access by booting from cd/dvd, and might alter your
If they have secret access they can install evil devices, but if you are
protecting against theft (laptops) or someone with a search warrant (NSA) comes
and takes your drives.
It surely works, but at a performance price. And the certainty that
you have to enter the LUKS-key each time you boot.
The only safe place to store password info is in your head. If one other person
has it it's not a secret, so you have to decide if losing the data is worse than
having someone else get it. That's a policy decision, on-technical.
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de
geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat
aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen
aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's
verbonden aan het electronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the
addressee or if this message was sent to you by mistake, you are requested to inform the
sender and delete the message. The State accepts no liability for damage of any kind
resulting from the risks inherent in the electronic transmission of messages.
Bill Davidsen <davidsen(a)tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
users mailing list
To unsubscribe or change subscription options:
Have a question? Ask away: http://ask.fedoraproject.org