|JP Vossen on 14 Jul 2010 14:57:33 -0700|
Date: Wed, 14 Jul 2010 17:34:47 -0400
> From: Richard Freeman <firstname.lastname@example.org> On 07/14/2010 03:30 PM, Jason Stelzer wrote:
> JP hit the nail on the head. I tend to just encrypt the parts of my > $HOME that I care about since the rest of the drive just has off the > shelf software I don't care about on it. But either way, all my > 'important' drivel is secured and locked up.Make sure that the parts you care about include swap in this case... Only issue with that is that you can't use linux suspend-to-disk without a working swap partition, so that might not work so well for a laptop. Anything you access is potentially written out to swap, unless the software is security conscious and locks memory that contains sensitive data. Actually, even then it might get swapped if you hibernate (not sure how that works - obviously it doesn't stay in RAM). Typical way to encrypt swap is just create a random encryption key at each boot and forget it when the power dies. Swap normally doesn't need to persist across a boot, unless you're using suspend-to-disk.
That's why I use whole-disk encryption (ok, yes, except for /boot). I don't have to waste time thinking about what does and does not need to be encrypted not matter when I am mucking around (e.g. /tmp). Hibernation on the mini9 worked in Ubuntu 9.04 with "encrypted LVM" per the alternate installer, but I haven't tested it from my clean re-install of 10.04. I'd assume it works. (Suspend works much better now, I had to fiddle in 9.04.)
Yes there's a performance hit for whole-disk, but even on the mini9 atom with SSD, I don't notice it.
Date: Wed, 14 Jul 2010 15:30:26 -0400 From: Jason Stelzer <email@example.com>
That means that the bad guys are going to need to do an install or just bypass the bootloader and create a new account. Either way, there isn't much chance that any 'phone home' scheme will work. And a fresh install means that there is NO chance.
Right. If you use a strong passphase on whole-disk encryption the OS is unusable, so a clean re-install of something is the only way the HW will "work" for the thief.
What I'd like to see is a laptop with a gps integrated into it (sorta like my phone). In an ideal world, the gps would be built into the laptop and if the laptop were on, the gps would be on. At that point, assuming you can identify the laptop uniquely, you'd essentially have the moral equivalent to apple's 'find my iphone' service.
[...]I've heard of "phone home" apps in the BIOS or other places at the hardware level so the OS is not involved. I guess that could work here too. Not sure I'd want it, but then again I'm occupationally paranoid.
Later, JP ----------------------------|:::======|------------------------------- JP Vossen, CISSP |:::======| http://bashcookbook.com/ My Account, My Opinions |=========| http://www.jpsdomain.org/ ----------------------------|=========|------------------------------- "Microsoft Tax" = the additional hardware & yearly fees for the add-on software required to protect Windows from its own poorly designed and implemented self, while the overhead incidentally flattens Moore's Law. ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug