[NBLUG/talk] Crypt Filesystems

[Jacob Appelbaum]

Walter Hansen wrote:
>> On Sun, Jul 30, 2006 at 12:40:30AM -0700, Jacob Appelbaum wrote:
>>>> Does sonic.net encrypt the drives of the servers in it's data room?
>>> I sure hope that they encrypt the servers that have their customers data
>>> on it. (Care to chime in Scott?) If my credit card is stored (and it is
>>> with sonic) on their servers I'd hope they have something other than
>>> physical security protecting my personal data. Disk encryption can
>>> provide another hurdle for an attacker and it's one that most attackers
>>> aren't going to get past. Especially a disgruntled employee that's not
>>> in the IT department.
>> Not to put too fine a point on it, we do indeed store credit card info
>> encrypted -- not only is it a good idea, but many banks require it (incl.
>> ours).
> 
> Well yes, but you don't encrypt user home directories and web/ftp space do
> you?

On a system I run, I encrypt each home directory to a key where I do not
have the passphrase. Only the user does. It's encrypted until they
login. Their web/ftp space is on a globally encrypted part of the
system. Just because the data might go over https or sftp it's not public.

I imagine that an encrypted rootfs isn't such a terrible idea for a box
that has credit card processing. This would prevent someone from easily
tampering with the software on the machine, even with physical access
and thus prevent them from easily defeating the encryption.

Obviously sonic doesn't do this with bolt or any of their public shell
servers but who cares? Public shells are inherently insecure by nature.

Regards,
Jacob