Encrypted home directory

[Bruno Wolff III]

On Tue, Dec 23, 2008 at 10:18:34 +0100,
  Ralf Corsepius <rc040203 at freenet.de> wrote:
> I don't buy this. Even in this case, you actually will want to
> protect/encrypt sensitive data, not the whole disk.

Except that knowing where the sensitive data is isn't easy. Once you start
worrying about where stuff might have ended up, it's easier to encrypt the
whole disk.

> In most cases this would be passwds, ssh-keys and certain sensitive
> files. 
> 
> Of cause, you can achieve this by "whole disk encryption", but I would
> call this to be the "big hammer". Suitable for personal-laptops, but
> widely silly on desktops.

That depends on what your threats are. Laptops are more prone to becoming
available to people you don't want to have access than desktops. For
a lot of people encrypting a desktop is going to be unneccesary.

> 
> > To protect against other users, you probably want to use selinux.
> SELinux is aiming at shielding the system against mal-ware and against
> applications misbehaving. 
> 
> It does not help against unauthorized access on personal data, such as
> your personal on-line banking account access data, ssh-keys or
> confidential documents and similar.

It can be used to do that. By limiting what applications have access to
individual pieces of data you can make it harder for people to inadvertantly
give it out to the applications. Support for this is still pretty
rudimentary in current policies. But work is being done on confining
firefox.

> Similarly, encryption of supposed to be universally, globally accessable
> files (such as much of the OS) is widely meaningless. It doesn't buy you
> anything.

I agree . But it can be a pain to sort stuff out. If you keep home, etc, tmp
and var on separate partitions (or do some bind mounting tricks), then there
isn't a need to encrypt the rest of /.