[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Why we need encrypted file systems

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: RE: Why we need encrypted file systems
From: Saad Kadhi <bsdguy_(_at_)_docisland_(_dot_)_org>
Date: 16 Dec 2001 12:27:26 +0100

On Sun, 2001-12-16 at 11:31, Andrey Smagin wrote:
> > -----Original Message-----
> > From: Dr. Evil
> [snip]
> > but encrypted FS is exactly what is needed for cases when the
> machine
> > is physically removed. That's easy enough in many cases,
> especially
> > with laptops, but also with servers.
> 
> It was discussed here already about a month or two ago...
> 
> 
> Encrypted file system means using some sort of a password/key to
> decrypt it. Obviously, we can not keep the key on the same server,
> but we still need to access our data somehow.
> 
> We would have to either manually type the password every time the
> server reboots and that could be a pain in the tail, or make the key
> available over the local network from some other special key-server
> and that's a major pain in the tail.
arg taken for servers. but what about laptops ? I think the first
solution is not a pain for nomads. in that case, we can have two
usernames/passwords, one for the user using the laptop & another one to
allow the user to erase/change his password temporarily in case your
boss forgot the @0)]-(\è7|"é" password :).

> 
> It's cheaper to get a new steel door or pick up some big hungry dog
> from local animal shelter and keep in your machine room...
right but again this is for servers or boxes that don't move. I can't
see no handheld pcmcia sort of big hungry dog for that laptop of mine.

> 
> I don't see much use for encrypted file system, but some people
> might need it for reasons that I am not aware of. In practice, I
> would rather encrypt the actual data instead of the whole file
> system. This way I would still be able to do normal backups.
Though I prefer your approach, I don't see how it can be applied to
emails for example. encrypting each sensitive email on one-per-one basis
using gpg or similar stuff will drive me mad if I receive lots of
sensitive emails. & I can't imagine my boss behavior in that case :).
Also, if your laptop is stolen & your private key for decrypting the
data is on the disk then it is just a matter of time before the thief
get your data. 

conclusion: each approach has its pros & cons & they can serve different
though related purposes. users should have the choice. but until we have
some rock solid implementation of the encfs, let's stick with gpg now.
this is better than nothing.



-- 
/Saad Kadhi
---------------------------------------------------------------
bsdguy_(_at_)_docisland_(_dot_)_org
pgp keyid: 35592A6D
fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D
---------------------------------------------------------------
.sig made with the six^Hvi editor

Prev by Date: Re: Allocating /tmp
Next by Date: Re: Why we need encrypted file systems
Previous by thread: Re: Allocating /tmp
Next by thread: Licensing guidelines (was Re: rubberhose for OBSD?)
Index(es):
- Date
- Thread

Visit your host, monkey.org