Quite true, Boyd. But he specifically mentioned the xzibit rootkit, which means he had to be online to get it. So I framed my answer in light of his concerns.
--b On Thu, Feb 24, 2011 at 9:30 AM, Boyd Stephen Smith Jr. < b...@iguanasuicide.net> wrote: > On Thursday 24 February 2011 07:03:23 Ron Johnson wrote: > > On 02/24/2011 06:22 AM, Brad Alexander wrote: > > [snip] > > > > > Also, please remember, when the system is running, the filesystem is > > > *decrypted*. Encryption is not going to protect you when the system is > > > running. > > > > So what you/we need are apps which integrate GPG. That way, files > > are only decrypted when necessary. > > Depends on what you are trying to defend against. Full-disk encryption is > meant to defend against physically stolen or confiscated servers, drives, > or > laptops from being accessed. When a laptop is on, it is generally being > closely observed, so when it is stolen it is usually off. Servers and > drives > are harder to move while powered, so they are usually turned off as part of > the act of stealing them. In both cases, accessing the data usually > requires > knowledge of the encryption key or the passphrase that unlocks it. > > If you want to protect your data from other normal users on the same > system, > permissions usually suffice. If you want to protect your data from > privileged > users (e.g. root) on a system, give up. They can modify the system to tell > GPG that the memory it has requested is locked, but then capture all the > data > written there, and that act could be mostly transparent to both GPG and the > user. > > GPG is best used for asymmetrically encrypted transfers of data, or when > you > only have a few files to protect and don't feel they justify full disk > encryption. > -- > Boyd Stephen Smith Jr. ,= ,-_-. =. > b...@iguanasuicide.net ((_/)o o(\_)) > ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' > http://iguanasuicide.net/ \_/ >
