On 08/30/2019 07:22 PM, Neil Rickert wrote:
That's not necessarily true.
Before I retired, I had a work computer that I wanted to be able to boot/reboot unattended. That means that an encryption key cannot be provided during boot.
I set it up to use an encrypted home directory (with "ecryptfs"). But ecryptfs can use swap, so I also used randomly encrypted swap. It worked pretty well. I did not need to be there for it to be booted. But, of course, I was there if I logged into it, so I could handle crypto for the HOME directory. Actually, I could do that via ssh and a command line login. I made sure that "$HOME/.ssh" was available whether or not the home directory was decrypted. I logged in with ssh and public key authentication. Then I used "ecryptfs-mount-private" to make the encrypted home directory visible, providing the login key of the ssh session.
One of these days I will have to try encrypted drives. Since SSD will take most of the sting out of the overhead, it may be a good addition. But I always keep coming back to "Why do I need it encrypted to begin with?" Sad, but there is nothing very interesting I worry about someone gaining physical control over a drive an getting. If it's important, it's already encrypted. Why I would want all the files in /opt and /bin and /usr encrypted -- just seems like a stretch. If it's really important, it doesn't even go on a computer :) -- David C. Rankin, J.D.,P.E.