Encrypting different directories

Bruno Wolff III bruno at wolff.to
Tue Mar 14 15:31:13 UTC 2006


On Mon, Mar 13, 2006 at 17:05:45 -0500,
  Louis E Garcia II <louisg00 at bellsouth.net> wrote:
> I am concerned about third parties getting their hand on the hard drive.

Then it is probably a better solution to just encrypt the /home partition
and any swap file systems. The admin will need to supply the password
for /home on boot and the swap partitions can get a new random key each
reboot without manual intervention.

Having users do this themselves is going to be a pain and there won't be
any real benefit.

Note that if you lose the password(s) for the /home partition there will
be no good way to get it off the disk. You will want to have the password
stored in a secure place (or two), so that if the admin gets hit by a bus
or the building with the password in it burns down you can recover.

You should probably also be encrypting your back up tapes as similar risks
probably apply to them.

> Is there any documentation on this process? Where would this password be
> stored? And would this be invisible to users? 

You might start looking at: http://www.saout.de/tikiwiki/tiki-index.php
There is going to be some more user friendliness for LUKS and dm-crypt in
FC5, but the kernel support and userland tools like cryptsetup are there
in FC4 (and probably earlier).




More information about the fedora-list mailing list