Mounting an encrypted volume presents the volume to all users on a machine
Ric Wheeler
rwheeler at redhat.com
Tue Oct 26 13:52:03 UTC 2010
On 10/26/2010 09:44 AM, Matthew Garrett wrote:
> On Tue, Oct 26, 2010 at 12:28:55AM +0200, nodata wrote:
>
>> What I am concerned about is that the volume is mounted for _every_ user
>> on the system to see.
> Only if the permissions are set that way. chmod 0750 /whatever and it
> won't be.
>
I think that the concern is correct and valid - using encrypted block devices
with a mount time password is quite "weak" for system security in general, it is
just the easiest way to provide basic crypto. Much better suited for laptops
than servers where any root user would be able to peruse the mounted volume's
contents.
There are a host of other ways to do this though - ecryptfs (as Eric Sandeen
mentioned) does finer grained crypto (even though we are not huge fans of how
its design) and you can certainly encrypt files individually.
Ric
More information about the devel
mailing list