Am Mi, den 22.09.2004 schrieb Michael Hart um 3:01: > I have a couple of partitioned encrypted with device mapper and the 2.6 > kernel encrypting file system. I may be wrong but i do not think it can > encrypt an entire hard disk but only the individual partitions in the > hard disk. The partition information is still not encrypted. It > appears to be to me (as a mere user) simply an enryption layer > underneath a normal file system. Sure then encryption is based on the existing partitions and not a complete disk. And it is a layer over the normal file system. I do not see a problem with that. > As such I do not think it encrypts the swap partition (which is a > potential security flaw) and I don't know how to get it to encrypt the > boot partition (as the boot image needs to be readable to load then it > needs to be able to decrypt the other file systems). For the swap space there might be a solution. The /boot partition should normally not hold any secret data. I would not bother about it being unencrypted. > In my situation I am not overly concerned about these deficiencies. In > fact I do not want to encrypt the OS incase I need to boot from the > repair disk and fix the OS. Howevert if there are any pointers how to > overcome the deficiencies I would be interested in reading them. Well, the problems when an encrypted system is in damage state you can't prevent. That is what you might call the "costs" of the gained security. > As far as I can tell you need to be superuser to run dm-crypt and mount > the resulting filesystems. This means once this is done the data on > those filesystems is available for all users with sufficient > permissions. This is not what the OP wanted as far as I can interpret. > They want it to only be available for one user and hidden from all > other users. Maybe the OP had something else in mind. Anyway, he threw in the question and then did not discuss any more about it. I do not like such behaviour - wasted time for those who try to answer questions and think the topic was important for the original poster. If you speak about a multi user system with encryption you of course have the issue that users with permissions to log in can access unencrypted content once the system runs. In multi user case you will always have to setup encryption per user. There is no "black box Linux" and I doubt it is technically possible to realize it in a way you might have in mind. Alexander -- Alexander Dalloz | Enger, Germany | GPG key 1024D/ED695653 1999-07-13 Fedora GNU/Linux Core 2 (Tettnang) kernel 2.6.8-1.521smp Serendipity 10:58:18 up 1 day, 13:02, load average: 1.24, 1.10, 1.07
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil