-----BEGIN PGP SIGNED MESSAGE-----
On Sun, Apr 26, 2009 at 04:40:33AM -0700, Sam Halliday wrote:
> Tomas Zerolo wrote:
> > Note that I'm not talking about stealing the hardware, but hijacking,
> > trojanizing, whatever. That's the real threat, in this
> I'm still talking about theft of machines (particularly laptops) as that is
> a major threat. One need only read the British newspapers to discover story
> after story of articles where "sensitive information was on a laptop which
> was stolen". As pointed out elsewhere, psql + encrypted drive is entirely
> unpractical as no OS is setup to ask for an encrypted drive password on boot
> (similarly for headless machines, user interaction is required). A practical
> solution that accomplishes the same goals as the encrypted drive is
Now you are mixing things.
* A laptop (by definition *not* a headless machine) which you carry
around and has sensitive data on it: there is _no_ excuse not to
encrypt the drive. There are lots of options (TrueCrypt, for Linux
there's Luks, some laptop vendors provide their own). There are lots
of variants to enter the passphrase, some more convenient
(fingerprint, I'm a little wary of this one).
Same goes for removable media, e.g. thumb drives (they get lost too).
Note that this solution doesn't fly without user education: if your
laptop is stolen and then "mysteriously" re-appears you _have_ to
assume that some has jigged it. Don't enter the passphrase! Nuke it
and install from backup.
* "No OS is setup to ask for an encrypted drive on bootup" -- this is
a red herring. It's not the OS's job to do that, it's the mount
process (remember: it has to work on insertion of a thumb drive too).
TrueCrypt manages this fine, as does Luks. Doing that at boot time
for built-in media (my laptop does that) is just convenience.
* Server on a headless machine -- agreed. That's what we were talking
But i fear we are getting seriously off-topic by now :-/
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
-----END PGP SIGNATURE-----
In response to
pgsql-hackers by date
|Next:||From: Martijn van Oosterhout||Date: 2009-04-27 06:21:23|
|Subject: Re: To know what a macro does|
|Previous:||From: tomas||Date: 2009-04-27 04:30:50|
|Subject: Re: RFE: Transparent encryption on all fields|