[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 08/11/12 11:01, Martijn Grooten wrote: > > And /etc only to refer to just in case. Nothing on it would have been > irreplaceable, it would just save me some time setting things up > again. I don't think there was anything in /etc that I considered very > important. The point is /etc/shadow typically contains password hashes. With these someone can guess your passwords to their hearts content. Encrypting is about preventing disclosure, it is not the same thing as backup. Some things you may not want to disclose, even if you can easily recover or reset them. You probably knew your password, so didn't need to recover it, but do you want someone else recovering it for you? Similarly if you have sshd running to allow remote access, /etc/ssh will contain the cryptographic material to impersonate your machine. Okay probably not a major issue without /home, but wait where is the root home directory (oops). Sure these are not large threats to home users, but since when setting up from scratch it is less effort to protect the whole disk(s) than to protect /home, it is common sense to do the whole disk. John is right that /var usage depends on what software is being used (doesn't everything in computing depend on that?). Debian sticks databases here by default for MySQL and Postgres, mail servers queue email here, cron puts jobs here, amongst plenty of other things. But whilst you might not do any of those things now, will you change the encyption of / or /var when you decide to do so? Will you even know or care if a particular application writes data there? Judging by the fact I often choose not to add encryption to existing partitions or systems the answer for most folk is probably "no". Like me once it works they'll do the minimum in the expectation (probably correct) that they are less likely to break any thing that way. Breaking encryption is of course especially painful as data recovery is usually restricted to the "restore from backup" option. Again I risk recommending things I don't necessarily do routinely, but when I do encrypt a partition I ALWAYS do the whole disk. I know enough to know that I don't know enough detail about what goes where on disk to safely leave bits exposed. I've been doing it long enough to be confident that if I don't know, plenty of other people won't know either. -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq