[systemd-devel] how to encrypt journalctl metadata

Mantas Mikulėnas grawity at gmail.com
Wed Aug 17 19:55:49 UTC 2016


On Wed, Aug 17, 2016 at 10:10 PM, Divya Thaluru <divya.thaluru at gmail.com>
wrote:

> Hi,
>
> Journalctl stores metadata like "_UID,_GID,_CMDLINE,_SYSTEMD_CGROUP etc…"
> for each message. Is there any way, can we encrypt metadata (commandline
> info) so sensitive information wont be stored.
>
> If encryption of metadata is not possible, can we disable collecting the
> metadata?
>

Store your logs in a LUKS volume. There's no built-in encryption in
journald.

And... quite frankly, I cannot imagine how service name or its UID would be
more sensitive than the messages themselves? It seems the opposite of every
single system I've seen. The *messages* often contain sensitive
information, whereas PIDs or service names are mostly generic info.

Just set up a LUKS container for /var/log.

-- 
Mantas Mikulėnas <grawity at gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20160817/c4d7c4d5/attachment.html>


More information about the systemd-devel mailing list