On 24 Oct 2001, Dr. Evil wrote:
No, it has nothing to do with speed. Machines are plenty fast. This is just a kludgy way to do this, and the last time I tried it, I got kernel panics within a day or so of uptime. Not acceptable, obviously.
2.7 had problems. It's worked reliably for me since 2.8. YMMV.
Is booting from an encrypted fs ever useful? Use read-only media if tampering is a concern. Configure and mount other encrypted filesystems from /etc/rc. If you can install and maintain OpenBSD, you can manage
Surely you can appreciate that a software-only solution to tamper-resistance might have some usefulness? Surely you can understand that, given a choice between booting from a CD and booting from hard disk, it might be an enormous pain to boot from CD all the time, and CDs are far less tamper-resistant than encrypted disk? Surely you can understand that there might be some config files in /etc that contain valuable information in some circumstances?
Sure. Union mount the sensitive stuff over /etc as necessary. CDs are tamper resistant because they can be removed and carried. Encryption is not very useful as a tamper protection measure - it won't protect against a DoS, or replacement of a partition with a trojan. Encrypting system binaries is rarely useful. It creates bootstrapping problems and doesn't provide much benefit. Encrypting /usr/local is useful.
Or perhaps a user wants to make sure that it cannot be proved that a certain application or kernel mod is installed? With the right kind of boot loader and encrypted FS, you could conceal which OS is even being run.
Let's take a step back - this thread started because you suggested win2k's encrypted filesystem was more useable than openbsd's. Now your argument against openbsd is that it's not invisible. Out of interest, can Windows boot from an encrypted disk? Yes, there are many different threat models ranging from casual to paranoia. Neither win2k nor openbsd will satisfy the truly paranoid. But openbsd does have a useful encrypted filesystem. You're welcome to whine about the loopback not being the right colour or whatever. Hell, I'd skip the loopback layer if I could. In the meantime I'll use what's available. My /home partition is encrypted - is yours?
I can't believe that some people on this list think that storing data in an encrypted format is pointless.
Encrypting data is useful. Encrypting system binaries is of little value. -- mailto:zem@zip.com.au F289 2BDB 1DA0 F4C4 DC87 EC36 B2E3 4E75 C853 FD93 http://zem.squidly.org/ "I'm invisible, I'm invisible, I'm invisible.."