retrofitting LUKS encryption on installed system
J.Witvliet at mindef.nl
J.Witvliet at mindef.nl
Sun Jun 30 13:03:46 UTC 2013
Top-post cause of BB :-(
Private keys (if stored locally), for outgoing traffic, should reside in the users home-dir.
Passwords should be replaced multi-factor strong auth's: card/token plus PIN.
Any alterations of filesystem beyond /home can be detected+reported.
Full disc encryption on a athom demands some extra patience :-)
----- Oorspronkelijk bericht -----
Van: Bill Davidsen [mailto:davidsen at tmr.com]
Verzonden: Saturday, June 29, 2013 10:07 PM W. Europe Standard Time
Aan: Community support for Fedora users <users at lists.fedoraproject.org>
Onderwerp: Re: retrofitting LUKS encryption on installed system
J.Witvliet at mindef.nl wrote:
> -----Original Message-----
> From: users-bounces at lists.fedoraproject.org [mailto:users-bounces at lists.fedoraproject.org] On Behalf Of Fred Smith
> Sent: Friday, June 28, 2013 3:42 PM
> To: users at lists.fedoraproject.org
> Subject: retrofitting LUKS encryption on installed system
>
> I've got a F19 installation that I'd like to turn into a fully encrypted
> system with LUKS.
>
> There are many howtos on the web for encrypting a partition, but they
> all show doing it to /home.
> -----Original Message-----
>
> No, just re-install.
> One partition with /boot and another with an encrypted volume-group, holding /, swap and the rest.
>
> But before embarking on that trip, do you really need full disk encryption?
> I mean, the content of /usr is on any fedora-cd ;-) And when up-and-running, everything is unlocked.
>
> The only valid reason I can think about, is that other people have physically access to your machine and could get root-access by booting from cd/dvd, and might alter your system.
>
If they have secret access they can install evil devices, but if you are
protecting against theft (laptops) or someone with a search warrant (NSA) comes
and takes your drives.
> It surely works, but at a performance price. And the certainty that you have to enter the LUKS-key each time you boot.
>
The only safe place to store password info is in your head. If one other person
has it it's not a secret, so you have to decide if losing the data is worse than
having someone else get it. That's a policy decision, on-technical.
> ______________________________________________________________________
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.
>
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
>
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
users mailing list
users at lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
More information about the users
mailing list