On Sun, Jul 02, 2006 at 12:00:34PM +0200, Sigfred H?versen wrote:
> Joachim Schipper wrote:
> >On Sun, Jul 02, 2006 at 02:14:59AM +0200, Rico Secada wrote:
> >
> >>Hi
> >>
> >>I have been thinking about encrypting some private files on my laptop,
> >>in case it gets stolen.
> >>
> >>I have no prior experience in this field.
> >>
> >>I have been thinking about using "mcrypt" with blowfish, but is this a
> >>good way to go about? Are there a better alternative? And is blowfish
> >>the best way to encrypt it?
> >>
> >>Please bear with me if these questions are ignorent.
> >
> >
> >There are many solutions; not mentioned yet is gnupg, which has quite a
> >few bells and whistles you don't need but is otherwise a rather solid
> >program (or so I used to think; there have been a few vulnerabilities in
> >the past month or two).
> >
> >However, svnd is probably the most convenient if you are running
> >-current.
> >
> >Do remember to remove the original files; rm -P, as suggested, works.
>
> A users tmp files should be encrypted as well. Setting TMPDIR to point into
> an encrypted filesystem may be enough, assuming that the application(s)
> respect TMPDIR.
Yes, indeed, I should have pointed that out. Thoroughly wiping the
filesystem /tmp resides on (at boot?) works, too.
However, many important files may be kept elsewhere; for instance, vim
uses .filename.swp for swap files, and while this certainly has
advantages, it does not make for optimal security...
All in all, svnd is probably the most convenient option; any other
option requires a lot of work.
Note that, on other systems, a huge problem is that files may be written
to swap at any time unless the memory was specifically allocated not to
allow this (certain high-security programs, like gnupg, do this for at
least part of the memory; but editors typically don't). This means that
the swap partition(s) also need periodic overwriting. However, OpenBSD
uses encrypted swap by default, at least on more-or-less recent
versions.
Joachim
