-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-06-11 01:40, John Andersen wrote:
On 6/10/2015 4:14 PM, Carlos E. R. wrote:
It is done by encrypting a big chunk of the hard disk, placing and LVM container on it, and inside, all the partitions. root, home, swap. There is an external boot partition, in the clear. And it doesn't break hibernation.
I thought the OP stated the Pointy Haired Bosses demanded whole disk encryption?
Real whole disk encryption needs to be done in firmware. Any software solution is partial.
Would there not be an avenue of exposure with /boot in the clear?
There will always be some code in the clear, be it a partition, another disk, or bios code. For instance, to have /boot encrypted, something needs to read and decrypt it, meaning grub. But then at least grub itself has to be in the clear. To encrypt also grub, you need the decryption code to be read from somewhere, in the clear: it could be from firmware, bios, another boot disk... A removable boot disk, you say? Well, they are easy to remove by an attacker, which can then clone and study it, even more easily than an internal partition for /boot, and finally replace the media with another one of his design. Like one that simply captures the password. Which is the reasoning for having it in grub+efi, and have efi boot code protection - what, the evil empire to the rescue? Wasn't it a Microsoft complot against free software? LOL, no. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlV4z/gACgkQja8UbcUWM1wOtAD+K9MzRrwy8vQzhXZ8WueZm+xO XkViJF0Nmt99hIDpsVoA/0F/74vq4IH6YVxQ2ok2IQ4PcQ8+k8lf+vF62zdWSFEJ =yUym -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org