ssh clarification needed

Mail Llists lists at sapience.com
Sun Jan 4 16:02:01 UTC 2009 

>
>
> I have luks encryption on /home on the netbook - which is what I'm really 
> thinking about.  
>   

 Oh good ...
>   
>> and then bind mount /tmp and /var/tmp out of /home/tmp
>> /home/var/tmp. 
>>     
>
> I don't understand that bit, I'm afraid.
>   

   Lots of programs use /tmp or /var/tmp and leave temporary files in
there which may contain sensitive information - so if / is not encrypted
its good to have those directories not be in / - but rather be in the
encrypted partition (/home). By bind mounting /home/tmp over /tmp you
now are using /tmp which is encrypted as well. Otherwise when bad guy
steals laptop - he looks in /tmp and /var/tmp for anything interesting.

> It takes a government department to lose laptops with unencrypted confidential 
> information :-)
>   

   ;-)

>   
> Again, I assumed that it was not possible for an intruder to get as far as 
> swap.  If I'm wrong, how can that be encrypted after an install?
>   

   If laptop is stolen and swap is not encrypted then the bad guys can
read yoru swap partition and troll for sensitive data. Your choice on
the risk factor here .. and of course the more memory your laptop has
the less pages will be paged in to swap. Unless you hibernate in which
case swap may well have more.

   It is straightforward using luks directly however I will leave the
answer to this for the approved F10 way to those better versed in F10
and encrypted swap - mike.cloaked ? You can do it with a passphrase or
use a random passphrase - i will show my hand the random passphrase way
below.

   By hand it would be something like this - let me assume for this your
swap partition is /dev/sda7


       # turn off swap
       swapoff -a
     
        # randomize whats there (skip if just testing) this takes a long
time
       dd if=/dev/urandom of=/dev/sda7

       # Set it up as encyrpted swap
       cryptsetup -d /dev/urandom create cswap /dev/sda7
     
       # make swap device (/dev/mapper/cswap) and use it. You can use
any name i chose cswap
       mkswap /dev/mapper/cswap
       swapon /dev/mapper/cswap

       # Making it work at boot time
       # create the file /etc/crypttab with this in it.
       # cat /etc/crypttab
       cswap  /dev/sda7 /dev/urandom swap
   
       # change yoru /etc/fstab - comment out existing swap line and
replace with
       /dev/mapper/cswap none swap defaults 0 0

   
         

>   
> Anne
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20090104/ca981b6a/attachment-0001.htm>

More information about the fedora-list mailing list