[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh clarification needed




I have luks encryption on /home on the netbook - which is what I'm really 
thinking about.  
  

 Oh good ...
  
and then bind mount /tmp and /var/tmp out of /home/tmp
/home/var/tmp. 
    

I don't understand that bit, I'm afraid.
  

   Lots of programs use /tmp or /var/tmp and leave temporary files in there which may contain sensitive information - so if / is not encrypted its good to have those directories not be in / - but rather be in the encrypted partition (/home). By bind mounting /home/tmp over /tmp you now are using /tmp which is encrypted as well. Otherwise when bad guy steals laptop - he looks in /tmp and /var/tmp for anything interesting.

It takes a government department to lose laptops with unencrypted confidential 
information :-)
  

   ;-)

  
Again, I assumed that it was not possible for an intruder to get as far as 
swap.  If I'm wrong, how can that be encrypted after an install?
  

   If laptop is stolen and swap is not encrypted then the bad guys can read yoru swap partition and troll for sensitive data. Your choice on the risk factor here .. and of course the more memory your laptop has the less pages will be paged in to swap. Unless you hibernate in which case swap may well have more.

   It is straightforward using luks directly however I will leave the answer to this for the approved F10 way to those better versed in F10 and encrypted swap - mike.cloaked ? You can do it with a passphrase or use a random passphrase - i will show my hand the random passphrase way below.

   By hand it would be something like this - let me assume for this your swap partition is /dev/sda7


       # turn off swap
       swapoff -a
     
        # randomize whats there (skip if just testing) this takes a long time
       dd if=/dev/urandom of=/dev/sda7

       # Set it up as encyrpted swap
       cryptsetup -d /dev/urandom create cswap /dev/sda7
     
       # make swap device (/dev/mapper/cswap) and use it. You can use any name i chose cswap
       mkswap /dev/mapper/cswap
       swapon /dev/mapper/cswap

       # Making it work at boot time
       # create the file /etc/crypttab with this in it.
       # cat /etc/crypttab
       cswap  /dev/sda7 /dev/urandom swap
   
       # change yoru /etc/fstab - comment out existing swap line and replace with
       /dev/mapper/cswap none swap defaults 0 0

   
         

  
Anne
  



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]