Life on the bleeding edge
Robert Brockway
rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Mon Oct 2 16:08:58 UTC 2006
On Mon, 2 Oct 2006, Lennart Sorensen wrote:
> Did you encrypt the filesystem? If not, then they have no need to blow
> away the root partition. Heck they could just take the disk out, plug
> it into a PC with a 2.5 to 3.5" adapter cable and mount the filesystem
> and grab your files. Same for windows. If it's not encrypted, it is
> free for the taking.
Very true.
This part of the thread has been about stopping baddies getting into the
filesystem. I'm going to mention the flipside - the danger that the
legitimate users may loose access to the filesystem if it is encrypted.
Given how often a lot of users forget their passwords I urge users to
consider the ramificiations before encrypting filesystems.
Remember a PKI passphrase can't be reset 'blind' the way root can reset a
normal user account password on a Unix system (ie, without knowledge of
the original password). I don't know if any of you have seen the look on
a user's face when you tell them there is no feasible way to "brute force"
the PKI passphrase after the user has forgotten it - I have[1].
If you do want to use PKI to encrypt important data think long and hard
before writing down the passphrase.
Other things to consider about encrypted filesystems:
1. Backups. Do you keep them encrypted or not. There are advantages
both ways.
2. Legitimate 3rd party access. If this is a work system it may be
necessary for a number of people to gain access. Will the passphrase be
shared? This could be true of a home system too.
Just some things to think about.
[1] This was a client system and as I recall and unencrypted backup of the
data was recovered.
Rob
--
Robert Brockway B.Sc. Phone: +1-905-821-2327
Senior Technical Consultant Urgent Support: +1-416-669-3073
OpenTrend Solutions Ltd Email: support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Web: www.opentrend.net
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list