Differences

This shows you the differences between two versions of the page.

--- software:encryption [2015/07/30 21:05]
cyril [Good passwords]
+++ software:encryption [2015/07/30 21:39] (current)
cyril [Application data and system partition]
@@ Line 21: / Line 21: @@
 ==== When to mount ====
-If your data are very sensitive and you suspect some advanced hackers could try to gain access to it, you should only keep the volumes mounted when you need to use it, and unmount it as soon as you don't need it. To ease it you should have a separate volume for every category of sensitive data you have. It should never be mounted when the computer is unattended, idle, sleeping, or when you are traveling with it. The reason is that it is not that difficult to recover the encryption keys in the RAM if the volume is mounted, even if it is not possible to use the current session; see [[http://web.archive.org/web/20110429202434/http://citp.princeton.edu/pub/coldboot.pdf]].
+If your data are very sensitive and you suspect some advanced hackers could try to gain access to it, you should only keep the volumes mounted when you need to use it, and unmount it as soon as you don't need it. To ease it you should have a separate volume for every category of sensitive data you have. It should never be mounted when the computer is unattended, idle, sleeping, or when you are traveling with it. The reason is that it is not that difficult to recover the encryption keys in the RAM if the volume is mounted, even if it is not possible to use the current session; see [[http://web.archive.org/web/20110429202434/http://citp.princeton.edu/pub/coldboot.pdf|cold boot]].
-If you data are not very sensitive but you just want to prevent the average hacker thief to get your data, keep it mounted and follow the rest of the instructions.
+If your data are not very sensitive but you just want to prevent the average hacker thief to get your data, you can keep the volumes mounted and follow the rest of the instructions.
 ==== Indexing ====
@@ Line 60: / Line 60: @@
 Sensitive/personal application data should be moved to an encrypted partition, you can use symbolic or hard links to make the redirection. This as the advantage of easier backup as well. It is also a good idea to encrypt your home directory, as it is difficult to spot all application data that contain personal data. It can be automatically mounted when you log in, with the same password.
-The next step is to encrypt your whole system partition. It is necessary if your data are very sensitive and you suspect some advanced hackers could try to gain access to it, to prevent from installing spy programs on it (by booting on a live OS or extracting the hard drive). It is still possible to attack the necessarily unencrypted boot partition, but it is way more difficult.
+The next step is to encrypt your whole system partition. It is necessary if your data are very sensitive and you suspect some hackers could try to gain access to it, to prevent from installing spy programs on it (by booting on a live OS or extracting the hard drive). But then it is possible to attack the unencrypted boot partition, which is not really harder because of the needed initramfs, so you also need to encrypt it and have grub decrypt it. You should also verify the integrity of grub, the MBR, and the BIOS.
 Encrypting the whole system partition also encrypts the swap file if there is one. If you are using a swap partition you may want to encrypt it as well (a swap file on an encrypted partition).