On Tue, 2008-12-23 at 02:58 -0600, Bruno Wolff III wrote:
On Tue, Dec 23, 2008 at 09:27:56 +0100,
Ralf Corsepius <rc040203(a)freenet.de> wrote:
> The rationale for wanting a completely encrypted system has always
> escaped me, esp. when being on a multi-user system.
Full disk encryption isn't meant to protect the system from authorized
users. It's meant to protect the system from people who get their hands
on the hardware.
I don't buy this. Even in this case, you actually will want
to
protect/encrypt sensitive data, not the whole disk.
In most cases this would be passwds, ssh-keys and certain sensitive
files.
Of cause, you can achieve this by "whole disk encryption", but I would
call this to be the "big hammer". Suitable for personal-laptops, but
widely silly on desktops.
To protect against other users, you probably want to use selinux.
SELinux is aiming at shielding the system against mal-ware and against
applications misbehaving.
It does not help against unauthorized access on personal data, such as
your personal on-line banking account access data, ssh-keys or
confidential documents and similar.
Similarly, encryption of supposed to be universally, globally accessable
files (such as much of the OS) is widely meaningless. It doesn't buy you
anything.
Ralf