[kwlug-disc] Why Encrypt? [Was: Re: OT - degauss/wipe a dead hard drive/LTO tapes]

unsolicited unsolicited at swiz.ca
Mon May 3 15:46:48 EDT 2010


Speaking of encryption ...

So why bother encrypting?
- surely no significant financial loss would be incurred by most in a 
worst case scenario.
- it's a PITA.
- just how likely is it that someone breaking in (non-laptop) is hunting?
- just how likely is it that that lost/stolen laptop doesn't just have 
its drive reformatted?
- just how likely are the worst case scenarios, anyways?

Now if you're keeping credit card data around, etc., OK. You have a 
duty. But I doubt that's frequently the case.

So, to the list, why bother encrypting?

Chris Irwin wrote, On 05/03/2010 3:36 PM:
> On Mon, May 3, 2010 at 13:33, Oksana Goertzen <ogoertzen at gmail.com> wrote:
>> Re:  drive encryption
>>
>> How do you back up your data if the drive is encrypted?  Do you back up the
>> whole volume?  .. and how do you do that - login as a different account and
>> backup the directory/volume?  I guess I'm a little concerned about
>> corruption and
>> then the whole volume is gone.  I do use encryption for files and some
>> emails but
>> my keys are on the hdd  [.. and yes, there is a difficult & long password
>> defined
>> for the key].
> 
> For my laptop, I used ecryptfs, which was an option during the Ubuntu
> installer. It only encrypts my home directory, which is fine since
> that is all I care about. It is decrypted via a PAM hook at logon. I
> sync $HOME with unison, so I'm logged in when that happens and the
> unencrypted data is copied. Even if I wanted to automate, files are
> still accessible in their encrypted form (as plain files, not a
> loopback image or anything). Back those and the key up, and you're
> good.
> 
> For my desktop, I don't bother. /home is over nfs. Otherwise I'd do
> the same as above.
> 
> For my server, I haven't bothered. I went with md raid 5, and the
> disks are from two different manufacturers, so I don't think there is
> as much of a worry there of disk manufacturers seeing anything. I
> could go ecryptfs as well, but since it only works while logged in, I
> would not be able to do a lot of the automation I currently do. Also,
> since my logins to the server are via ssh key auth, and that would not
> decrypt $HOME.
> 



More information about the kwlug-disc_kwlug.org mailing list