Mounting an encrypted volume presents the volume to all users on a machine
Przemek Klosowski
przemek.klosowski at nist.gov
Tue Oct 26 18:18:55 UTC 2010
On 10/25/2010 06:40 PM, nodata wrote:
> On 26/10/10 00:31, Nathanael D. Noblet wrote:
>> On 10/25/2010 04:28 PM, nodata wrote:
>>> Hi,
>>>
>>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>>
>>> The default behaviour is that a user must know and supply a passphrase
>>> in order to mount an encrypted volume. This is good: know the
>>> passphrase, you get to mount the volume.
>>>
>>> What I am concerned about is that the volume is mounted for _every_ user
>>> on the system to see.
>>>
The security role and rationale for the filesystem encryption is to
prevent the access to lost or stolen media, when you can't rely on the
mechanisms existent within the OS. The underlying device encryption
technology is not set up to keep track of who is accessing the data
after it is decrypted and made available to the system, as you correctly
point out.
Such user-differentiated authorization is provided by the filesystem
access rights, ACLs and SELinux attributes. Note that unlike the first
two mechanisms, SELinux can protect the data even for systems with
compromised root---as someone said, SELinux can be configured so that
you can tell people "here's the root password; now break into my computer".
What you are asking for improves security by adding additional depth,
but it requires a fairly intensive redesign and reimplementation of the
device encryption, so it befall on you to provide a good analysis and
justification of the tradeoffs.
More information about the devel
mailing list