ecryptfs and password

James McKenzie jjmckenzie51 at gmail.com
Sat May 7 23:40:10 UTC 2011 

On 5/7/11 12:54 PM, Bill Davidsen wrote:
> James McKenzie wrote:
>> On 5/1/11 5:18 PM, Bill Davidsen wrote:
>>> Gregory Hosler wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>>> Hash: SHA1
>>>>
>>>> On 04/25/2011 09:48 AM, Digimer wrote:
>>>>> On 04/24/2011 09:46 PM, ssc1478 wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I'm new to Fedora - been using Ubuntu for years.  I just installed
>>>>>> Fedora 14 to my laptop and selected to encrypt /home.
>>>>>>
>>>>>> When I boot, I have to enter the password for the encrypted directory.
>>>>>>      Did I set it up wrong?  I didn't expect to have to enter the password
>>>>>> at boot but instead thought the login password would be enough.
>>>>>>
>>>>>> Thanks!
>>>>>>
>>>>>> Phil
>>>>> It encrypts the partition, so when the system tries to mount /etc/fstab
>>>>> partitions, of which /home is likely one, it requires the password then.
>>>> alternately, you can setup /etc/crypttab so that the password is not entered
>>>> manually.
>>>>
>>> This adds no security at all from the encryption. The only reason to use
>>> encryption and then build in the pass phrase is to allow you to claim that the
>>> data was encrypted if you lose the machine, therefore giving you legal cover if
>>> the data you lost belongs to customers. I can't decide if that's a sleazy legal
>>> trick to provide cover without the effort to have security, or if it just shows
>>> how little the average user knows about security in the first place.
>> False security is worse than no security at all.  Never store a
>> passphrase on a readable device.  It should be stored in the brain, just
>> like passwords and such.  BTW, this would never pass a security
>> inspection at any of the places I've worked at.
>>
> It satisfies legal requirements to encrypt sensitive data which is all the bean
> counters and lawyers care about. They are not required to actually protect your
> information. :-(
>
Not in the EU.  There are legal requirements to safeguard information, 
to include encryption of 'data at rest' and 'data in transit'.  Same for 
HIPPA and in the PCI world.  This has gotten several companies in trouble.

James McKenzie

More information about the users mailing list