encrypted /tmp? encrypted home dir but remotely rebootable?

Brian McKee brian.mckee at gmail.com
Sun Aug 3 12:27:36 UTC 2008 

On Sun, Aug 3, 2008 at 7:13 AM, Karl Larsen <k5di at zianet.com> wrote:
> Bob Smith wrote:
>> I've worked out how to set up encrypted swap and /home/bob on my
>> laptop, but is it possible to set up encrypted /tmp too? If so,
>> how big does the /tmp partition need to be?
>>
>> Also, I want to make my home computer remotely rebootable but
>> with some encrypted stuff: swap, /tmp (if possible), and
>> /home/bob. Has anyone set a computer up so that it can rebooted
>> without having someone sitting at the keyboard to type in the
>> passphrase, but so you can ssh to it later and mount your own
>> home directory? Or maybe I need to have two userids for this,
>> bob1 who has access to sudo cryptsetup to mount /home/bob, then
>> log out and back in again as bob?
>>
>> Thanks for any tips.
>>
>>
>    Bob you have already gone way to far with with your encrypted home
> directory. Take all that stuff off and use your password. I have used
> ssh for years and never had a problem.

Karl, the point of encryption is it's the only way to prevent your
data from being accessed when they have physical possession of your
hard drive.

Bob - I'm curious - how did you encrypt swap and still use hibernate?
I was under the impression that was still not doable...

I like to have a gig of space in /tmp, but that's because I use
programs that use /tmp as a staging area to create iso's in.   I think
some video transcoding stuff may default to using it as well.  Of
course, if it's encrypted and you have unencrypted space you'd
probably be better doing that work there - at least a bit faster
without the encryption - unless the transcoding work is something you
specifically wanted encrypted I guess.  A quick google showed me a
fair range of opinion on the subject :-)

The double log-in thing makes sense to me - that way you have the
benefit of the fact that cracking your box when you aren't using it
gives them nothing but your empty bob1 account.  Sounds good anyway -
I've not done something like that.

Why not just encrypt everything (whole drive?)

Brian

More information about the ubuntu-users mailing list