On 20/04/17 07:10 AM, Carlos E. R. wrote:
The other configuration I want is encrypted full disk without LVM. YaST does not support it, the procedure is manual. To avoid separate /boot, grub has to understand encryption and ask for the password early enough.
When you're doing RESCUE stuff, depending on what it was that necessitated the RESCUE, a separate /boot partition that may or may not be outside the LVM and/or may or may not be on a single drive of an array may or may not be useful. My life, my experience, my sysadmin-paranoia, the itching between my shoulder-blades and my cynicism about the economics of the technology of hard drives, as explained to me by the manager at the company tat I once took a drive in for 'recovery' all leads me to having a /boot on a REAL partition (that is, outside the LVM) on each drive or *ANY* kind of a RAID array. Even if I have to update them independently manually. Even if this is beyond anything YAST can assist with. One day I'll write up the gripe that manager explained to me, how it ties in with the the manufacturing process and the supposed handling of bad blocks, but crates a set of unnecessary failure modes of its own, why he saw it as impacting his business and why he saw it as causing unnecessary grief to consumers and small businesses alike. To be fair, SSDs probably cripple his business, but that's another matter. Given my druthers, I'd go for just about any form of encryption except the user-unfriendly double mounting modes of FUSE. Various ones have their own advantages and disadvantages. What you need to think about is whether the idea of an encryption system that works only when your machine is shut down is enough. I wonder about EncFS sometimes, the idea of having the encrypted files on a live system accessed via NFS but only decoded locally. Has anyone used this? By comparison, I use a Aegis Secure USB key from Apricorn. It's a 30G device and has admin as well as user level keys. Encryption is done by hardware and is !FAST! 30G is _just_ large enough to put a bootable Linux on, along with all the X stuff, fonts, man pages, drivers. However, as I've discussed before, what is it you want to focus on when encrypting, code or data? In a perfect world you'd have unlimited (portable) storage that doesn't degrade in speed with decryption. In reality ... what? Maybe you think that LUKS/FUSE is enough. As it happens, most of the machines I have access to have two USB ports accessible from the front. They are not always USB3 :-( Some machines don't have USB3 at all :-( :-( But two ports means that I can use on for my "system" USB (which for various systems might be 8G, 16G or 32G) and the other for my SecureKey, the latter being all DATA. YMMV The Apricorn devices aren't cheap. But if you need that kind of security, really need it in a way that most home users rarely do, then from a Corporate POV is not merely part of the cost of doing business, its cheaper than the risks associated with conventional USB sticks. Or even some forms of cloud storage. Apricorn have USB sticks from 4G (around $60) to 480G (around $400) in the same format. Of course they have portable drives, portable SSD and internal drives. https://www.apricorn.com/ I'm not associated with Apricorn in any way other than being a satisfied user. Maybe you think that LUKS is all you need, but maybe your corporate auditors don't. Something like an Aegis device with proper certification can address that. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org