Encryption, paranoia and virtual machines
Alex Volkov
avolkov-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org
Fri Nov 25 17:13:31 UTC 2011
There's two things I can think of that are going for encrypting on gues:
* Performance: The less you encrypt, the less you decrypt the more
performance you get.
* Ease of use: While encrypting volumes under gues is easy -- you just
set some options during the install that are no different than those
during installation on physical host, I have no idea how you encrypt
pysical volume on host and the install guest on it, in the sense, how
virtualization and encryption software will play together.
* You don't need to keep files in /bin secret all you need is to
verify that they were downloaded from your vendor and weren't tampered
with, there's a security term describing this situation,
confidentiality vs. integrity? Every major distribution has tools for
checking that.
On Fri, Nov 25, 2011 at 11:57 AM, Neil Watson
<tlug-neil-8agRmHhQ+n2CxnSzwYWP7Q at public.gmane.org> wrote:
> On Fri, Nov 25, 2011 at 11:42:16AM -0500, Alex Volkov wrote:
>>
>> If you host the machine then there is definitely value in installing
>> them using encryption, and I'd do the same thing as Digimier said,
>> crete logical volumes on physical host for guest machines, which are
>> seen as whole disk and then install lvm on guest machine and encrypt
>> only volumes containing private data, no point encrypting root fs.
>
> Some interesting questions come from this paragraph. What are the pros
> and cons of encrypting the raw volume at the host level versus
> encrypting on guest? On encrypting root fs, one might argue that with
> physical access one could replace a binary in /bin if it were not
> encrypted.
>
> --
> Neil Watson
> Linux/UNIX Consultant
> http://watson-wilson.ca
> --
> The Toronto Linux Users Group. Meetings: http://gtalug.org/
> TLUG requests: Linux topics, No HTML, wrap text below 80 columns
> How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
>
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list