Am Mittwoch, 18. März 2020, 09:31:01 CET schrieb Ludwig Nussel:
Am 17.03.20 um 20:57 schrieb Axel Braun:
[...] I never got why to encrypt just disk when there are bunch of data leaking via /tmp.
https://bugzilla.opensuse.org/show_bug.cgi?id=1166005 is a good reason
to just
encrypt /home
You can put /boot back on a separate partition. That way you still have everything except kernel and initrd encrypted so accidental data leak via tmp or swap is still prevented. There was a decision in an unfortunately private SLE feature request some years ago (https://fate.suse.com/320215) to ignore the inconveniences of /boot on / in favor of working snapshots unfortunately.
As Neil Rickert pointed out in between in the above bugreport, /boot on a separate (unencrypted) partition is not recommended together with btrfs. So looks like one can have an encrypted root partition AND btrfs AND 20s get- the-coffee time on each boot, or separate /boot, encrypted root w/o btrfs (and roolback) and a quick boot time. Considering the fact that booting happens only every couple of days this might still be acceptable Cheers Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org