Root filesystem encryption update
Bruno Wolff III
bruno at wolff.to
Tue Jun 19 05:52:46 UTC 2007
On Tue, Jun 19, 2007 at 09:36:28 +0930,
n0dalus <n0dalus+redhat at gmail.com> wrote:
>
> Does full disk encryption have many advantages over directory-based
> encryption? It seems like a lot less pain to be able to boot into X
> and just have important directories encrypted.
If you are going to run things like DMBS on top of an encrypted filesystem
you need to know that it is going to have guarantees about when data
is written to the disk. dmcrypt is designed to do that (though there is
an issue with it on smp systems since 2.6.19 when it switched to work
queues). I haven't seen this issue addressed by the other encryption
systems being proposed, though I could have easily missed it.
> One problem I see in both approaches is access control. Many computers
> are used by more than one person, and instead of giving everyone the
> one password (and having to change it whenever someone leaves the pool
> of trusted people), it might be better to make sure these methods use
> username/password combos which can be added and revoked.
Only the people that need to boot the machine need the password if you
are using dmcrypt with whole partition encryption. If there are several
of these, each can have their own password.
More information about the fedora-devel-list
mailing list