On Wed, Oct 29, 2008 at 9:14 PM, Douglas A. Tutty <dtutty@vianet.ca> wrote:
quoted text
> I'll be setting up a new box for the house and I want to use OpenBSD for
> it, both for its security and since it will be an older box it will run
> better than with Debian.
>
> Roles:
>
> main firewall for dialup internet access.
> fetchmail and sendmail to ISP smarthost
> other simple stuff (have another box for insecure stuff like watching
>        videos, surfing the net with javascript and flash).
>
>
> We've moved and now our main security threat is physical security.  We
> don't want the data on the computer (i.e. in the /home directories) to
> be readable if someone steals the box.
>
> I'm thinking I could go two routes:
>
> 1.      encrypt all of /home with an encrypted virtualfs file.  However,
> then the data is unencrypted whenever the box is powered on.

Is your data that important? :)

quoted text
> 2.      I wonder if there's a way to have per-user home directory
> encryption so that the user's directory is accessed/unencrypted/mounted
> (whatever the semantics) on login and recrypted/unmounted on logout.
>
> Have swap and /tmp encrypted too.  Also, perhaps per-user $TMP
> directories if go with plan 2, above.
>
> I think I want root to be able to mount/access the directories so that
> the data can be included in a backup set (which is then piped through
> openssl for encryption) on a file-by-file basis rather than just backing
> up a filesystem image and risking the whole thing if that image becomes
> corrupted.
>
> Ideas?  What do others do to secure /home?  I read on undeadly an idea
> of putting the /home filesystem on a removable drive and putting it into
> a safe but then you have to have the safe mounted securely.
>
> Doug.
>
>



-- 
http://www.felipe-alfaro.org/blog/disclaimer/