Hi, Jon Dowland wrote (11 Sep 2011 13:23:37 GMT) : > I like encrypted $HOME and making the use of them as easy for people > as possible.
So do I. However, before we go deep into implementation details, I need to ask what kind of usecase(s) and threat model(s) you have in mind and are trying to solve. When discussing such matters, one needs to be aware of the drawbacks of encrypting $HOME only; one of these drawbacks can be summed up as: any data stored in your encrypted $HOME has non neglictible chances to be written in cleartext on the disk at some point, and stay there, recoverable by standard forensics tools, during a more or less long time. E.g. data may be written in cleartext swap, in hibernation images, temporary data may be written at various places on disk that are not in $HOME: cups spool, /var/tmp, etc. The d-i already supports easy *full* system encryption, swap included. In some threat models, this offers a much greater protection than encrypting $HOME only. I think the specific usecases and threat models that make $HOME -only encryption more fit and desirable should be clearly defined before we look for a solution. What do you think? Bye, -- intrigeri <intrig...@boum.org> | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc | Do not be trapped by the need to achieve anything. | This way, you achieve everything. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/85wrdeq026....@boum.org
