Encrypted home directory
Ralf Corsepius
rc040203 at freenet.de
Tue Dec 23 09:18:34 UTC 2008
On Tue, 2008-12-23 at 02:58 -0600, Bruno Wolff III wrote:
> On Tue, Dec 23, 2008 at 09:27:56 +0100,
> Ralf Corsepius <rc040203 at freenet.de> wrote:
> > The rationale for wanting a completely encrypted system has always
> > escaped me, esp. when being on a multi-user system.
>
> Full disk encryption isn't meant to protect the system from authorized
> users. It's meant to protect the system from people who get their hands
> on the hardware.
I don't buy this. Even in this case, you actually will want to
protect/encrypt sensitive data, not the whole disk.
In most cases this would be passwds, ssh-keys and certain sensitive
files.
Of cause, you can achieve this by "whole disk encryption", but I would
call this to be the "big hammer". Suitable for personal-laptops, but
widely silly on desktops.
> To protect against other users, you probably want to use selinux.
SELinux is aiming at shielding the system against mal-ware and against
applications misbehaving.
It does not help against unauthorized access on personal data, such as
your personal on-line banking account access data, ssh-keys or
confidential documents and similar.
Similarly, encryption of supposed to be universally, globally accessable
files (such as much of the OS) is widely meaningless. It doesn't buy you
anything.
Ralf
More information about the fedora-devel-list
mailing list