Mounting an encrypted volume presents the volume to all users on a machine

[Przemek Klosowski]

On 10/25/2010 06:40 PM, nodata wrote:
> On 26/10/10 00:31, Nathanael D. Noblet wrote:
>> On 10/25/2010 04:28 PM, nodata wrote:
>>> Hi,
>>>
>>> I'm concerned about the default behaviour of mounting encrypted volumes.
>>>
>>> The default behaviour is that a user must know and supply a passphrase
>>> in order to mount an encrypted volume. This is good: know the
>>> passphrase, you get to mount the volume.
>>>
>>> What I am concerned about is that the volume is mounted for _every_ user
>>> on the system to see.
>>>

The security role and rationale for the filesystem encryption is to 
prevent the access to lost or stolen media, when you can't rely on the 
mechanisms existent within the OS. The underlying device encryption 
technology is not set up to keep track of who is accessing the data 
after it is decrypted and made available to the system, as you correctly 
point out.

Such user-differentiated authorization is provided by the filesystem 
access rights, ACLs and SELinux attributes. Note that unlike the first 
two mechanisms, SELinux can protect the data even for systems with 
compromised root---as someone said, SELinux can be configured so that
you can tell people "here's the root password; now break into my computer".

What you are asking for improves security by adding additional depth, 
but it requires a fairly intensive redesign and reimplementation of the 
device encryption, so it befall on you to provide a good analysis and 
justification of the tradeoffs.