From: Milan Broz <mbroz@redhat.com>
To: markus reichelt <ml@mareichelt.com>
Cc: dm-crypt@saout.de
Subject: Re: [dm-crypt] FYI: how to (really) cleanly shutdown the system when root is on multiple stacked block devices
Date: Sun, 27 Jun 2010 10:35:34 +0200 [thread overview]
Message-ID: <4C270D56.7050901@redhat.com> (raw)
In-Reply-To: <20100627002048.GC10187@pc21.mareichelt.com>
On 06/27/2010 02:20 AM, markus reichelt wrote:
> * Arno Wagner<arno@wagner.name> wrote:
>
>> Hmm. You know, encrypted root is a problem and pretty difficult to
>> do in the rfirt place. Why not just encrypt the critical parts,
>> like /var /home /root? The rest only holds binaries and config
>> files anyways, which are not that sensitive...
>
> Are you serious?
Usually encrypting everything is better, otherwise we add many problems here.
Just to randomly pick two of them:
- User must think and know which data are sensitive and avoid to copy them
to unencrypted space. It can happen even without his knowledge
- temporary file somewhere, coredump, whatever.
- using "social engineering"
how many people will set the same password to disk encryption and
his account? If I have /etc/shadow visible, why I should bother
with attacking disc encryption with all its barriers?
I'll run dictionary search for passwords there, pretty good tools
already here.
...
I think that for laptop, encrypting everything is better. And I expect
that after clean shutdown my machine is safe.
All used tools currently providing methods how to do it properly
(I mean dm-crypt/LUKS, loop-aes or Truecrypt).
It is just about properly written init/shutdown scripts. I do not think it is
so complicated to fix it - just reverse initramfs root-fs mapping.
Several similar parts of problems "cutting own throat" are there
(like pvmove on root-fs in LVM, multipath solving the situation when all paths
to underlying device are temporarily gone).
This is nothing completely new.
(And yes, I a quite intentionally hijacked this thread to focus on this shutdown
& encrypted root-fs problem, sorry:-)
Milan
next prev parent reply other threads:[~2010-06-27 8:35 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-06-26 11:59 [dm-crypt] FYI: how to (really) cleanly shutdown the system when root is on multiple stacked block devices Christoph Anton Mitterer
2010-06-26 12:52 ` Arno Wagner
2010-06-26 14:21 ` Christoph Anton Mitterer
2010-06-26 18:36 ` Arno Wagner
2010-06-26 19:24 ` Milan Broz
2010-06-26 23:13 ` Christoph Anton Mitterer
2010-06-26 23:34 ` Arno Wagner
2010-06-27 0:20 ` markus reichelt
2010-06-27 8:35 ` Milan Broz [this message]
2010-06-27 12:03 ` Christoph Anton Mitterer
2010-07-02 18:48 ` markus reichelt
2010-07-02 19:29 ` Christoph Anton Mitterer
2010-06-27 2:28 ` Christoph Anton Mitterer
2010-06-27 2:53 ` Arno Wagner
2010-06-27 11:57 ` Christoph Anton Mitterer
2010-06-26 23:30 ` Arno Wagner
2010-06-27 2:31 ` Christoph Anton Mitterer
2010-06-27 2:39 ` Christoph Anton Mitterer
2010-06-27 2:56 ` Arno Wagner
2010-06-27 12:21 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C270D56.7050901@redhat.com \
--to=mbroz@redhat.com \
--cc=dm-crypt@saout.de \
--cc=ml@mareichelt.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.