Hello Radoslaw, Am Montag, 9. März 2020, 18:06:57 CET schrieb Radosław Wyrzykowski:
On niedziela, 8 marca 2020 19:49:43 CET Christian Boltz wrote:
Hello,
Am Sonntag, 8. März 2020, 17:19:19 CET schrieb Axel Braun:
Hm, guided setup encrypts root partition AND swap. Not sure if this is a good idea....
It is.
If you are paranoid enough to encrypt your root partition (you should!), then you don't want to have parts of your RAM (like open documents or in worst case your disk encryption key) swapped out to unencrypted swap
This is somewhat similar to the discussion if you really need to encrypt the root partition, or if encrypting /home is good enough. IMHO it isn't, because for example files in /tmp/ can also contain sensitive data which you don't want to have unencrypted. For example, when you click a PDF attached to a mail in KMail, it will get stored in /tmp/ before it gets opened.
Sidenote: I have no idea if suspend to disk works with encrypted swap - I don't have any swap to test.
It does work very well on my ThinkPad T440. I have my root and swap partitions encrypted with LUKS. The root partition includes /boot, so I use GRUB to decrypt it and keep a key in the initramfs so I don't have to put in the passphrase twice (I followed the guide at https://en.opensuse.org/ SDB:Encrypted_root_file_system). I haven't had any problems with that setup, but that, of course, depends on your machine.
Thanks for sharing this. I had used the setup with the key in initramfs as well, but in this case - root and swap encrypted - it doubled the time at startup to about 40s! Although reboot is not a very frequent thing - uptime on the laptop mostly between 7 and 14 days - this long waiting period is quite annoying. Lets see if some new insights come along, if not, I will probably go again for a separate, encrypted /home partition, as before. (But this is OT for this thread ;-) Cheers Axel -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org