Life on the bleeding edge

Robert Brockway rbrockway-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
Mon Oct 2 16:08:58 UTC 2006 

On Mon, 2 Oct 2006, Lennart Sorensen wrote:

> Did you encrypt the filesystem?  If not, then they have no need to blow
> away the root partition.  Heck they could just take the disk out, plug
> it into a PC with a 2.5 to 3.5" adapter cable and mount the filesystem
> and grab your files.  Same for windows.  If it's not encrypted, it is
> free for the taking.

Very true.

This part of the thread has been about stopping baddies getting into the 
filesystem.  I'm going to mention the flipside - the danger that the 
legitimate users may loose access to the filesystem if it is encrypted.

Given how often a lot of users forget their passwords I urge users to 
consider the ramificiations before encrypting filesystems.

Remember a PKI passphrase can't be reset 'blind' the way root can reset a 
normal user account password on a Unix system (ie, without knowledge of 
the original password).  I don't know if any of you have seen the look on 
a user's face when you tell them there is no feasible way to "brute force" 
the PKI passphrase after the user has forgotten it - I have[1].

If you do want to use PKI to encrypt important data think long and hard 
before writing down the passphrase.

Other things to consider about encrypted filesystems:

1.  Backups.  Do you keep them encrypted or not.  There are advantages 
both ways.

2.  Legitimate 3rd party access.  If this is a work system it may be 
necessary for a number of people to gain access.  Will the passphrase be 
shared?  This could be true of a home system too.

Just some things to think about.

[1] This was a client system and as I recall and unencrypted backup of the 
data was recovered.

Rob

-- 
Robert Brockway B.Sc.        Phone:          +1-905-821-2327
Senior Technical Consultant  Urgent Support: +1-416-669-3073
OpenTrend Solutions Ltd      Email:          support-wgAaPJgzrDxH4x6Dk/4f9A at public.gmane.org
                              Web:            www.opentrend.net
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list