Bruno Wolff III wrote:
On Wed, Jan 14, 2009 at 10:31:53 -0700,
Robin Laing <Robin.Laing@xxxxxxxxxxxxxxx> wrote:
Encryption to the level of encrypted home directories isn't being used
yet. I asked them if they had any ideas and we agree that for
incremental backups, a block diff would have to be done. Of course,
depending on the size of the partition, this could take some time. I
don't know.
It's possibly too late for this, but what threat are you trying to counter
by encrypting by home directores?
Encrypting by partition and leaving them mounted all of the time would allow
administrator access for making incremental backups. Most likely your admins
are already trusted, as they could steal the passphrases needed to unlock the
home directories my modifying the program that prompts for passwords or
pulling keys out of memory. So encrypting home directories to prevent their
access shouldn't be needed from a security perspective. There could be
regulatory reasons you might have to do things that way.
If you are trying to protect the users from accidentally letting other users
see their stuff, there are probably other ways to do this without causing
problems for making backups.
It is an array of issues.
As simple as preventing someone from seeing the files indirectly to the
requirement for full encryption beyond just file encryption (PGP or
TrueCrypt).
In some cases, there may be two or even three levels of encryption being
used. Sorry but I cannot go into details than there is a requirement.
There is a chance that laptops can be lost/stolen. I do understand that
in most cases, the drives will be formatted and just sold to run Windows
on but if they are stolen/hacked for other reasons, then layers of
protection need to be in place. It is like having a firewall at the
gateway to the Internet and then having a second firewall on the
computer for a second layer of protection.
In some cases, due to shared work spaces and shared computers (I love
our tight economy) there is also a need for increased levels of
security. At present, our home directories are mounted at login already
on desktops, to allow sharing between work stations so this is part of
the present domain. Encryption is just adding to this.
We could look at a backup routine that only backs up at times that users
are logged into the network but this could hit the network at its
busiest times.
--
Robin Laing
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
