On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition.
Actually, you do need to encrypt swap: it can contains copies of part of RAM, so "the bad guy" has access to those contents in clear if he gets his hands on the machine. The situation is worse with an hibernated machine, because the entire ram contents are in there. One of the things found in ram is precisely the disk password. Same thing goes for all the temporary spaces, which is the main reason to cipher the root filesystem. It may not be the case when using a tmpfs, but programs store many things in /var and /tmp which could perhaps give information to "the bad guys". Remember that a tmpfs spills over to swap when needed, AFAIK)
I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd
Interesting. It should be possible. Just might be too hard to set it up...
Yes, that's one of the methods described some years ago by a user on the security mail list. That was before systemd. -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)