------------------------------------------------------------------------------
Kamal R. Prasad
AIX Support & Test, IBM India Software Labs
Golden Enclave, Airport Road, Bangalore-560017, India
Phone : +91-80-5094963,  Internal Ext   : 2963




On 1052687897 seconds since the Beginning of the UNIX epoch
Bill Studenmund wrote:
>
>A file system would be more for a case where physical security isn't a
>strong issue but protecting one user from another is. cgd is best for a
>case where protecting one user from another isn't a big deal, but 
phsyical
>security is.

>It warrants pointing out that an encrypting file system does not
>really protect users from each other on a single host much more
>than chmod 600 does, though.  If you can circumvent the kernel then
>you can read the other user's key.  The best you get in this case
>from an encrypting file system is temporal protection, i.e. you
>have to compromise the box when the target user is logged in rather
>than at any point in time.

The co. where I used to work -had something different on mind (besides 
protecting users from each other's data). They were supplying PCs 
*without* custom hardware and lots of code in the user-space. They did not 
want someone else to pirate the binaries -but wanted the data on the box 
available for general use. so cgd would not have served the purpose, but a 
crypto filesystem would have. but IMHO - layering of filesystems is a 
costly implementation in terms of performance degradation.
regards
-kamal


--
    Roland Dowdeswell                      http://www.Imrryr.ORG/~elric/