![](https://seccdn.libravatar.org/avatar/cabdbf4d350ab6a15265803acab1634d.jpg?s=120&d=mm&r=g)
HG said the following on 04/14/2012 03:36 AM:
I wanted to have full disk encryption ...
Just for the record ... Full disk encryption, partition encryption, file system encryption and file encryption are all quite different things. Full disk encryption is often implemented in the disk hardware. As the Wikipedia article points out http://en.wikipedia.org/wiki/Hardware-based_full_disk_encryption <quote> The symmetric encryption key is maintained independently from the CPU, thus removing computer memory as a potential attack vector. </quote> I've also seem full disk encryption implemented in the low level disk drivers. The point being that the disk is encrypted regardless of how you partition it, regardless of the file system you use. I recognise that there are applications like TrueCrypt (and other vendors) which try to encompass many aspects. Their use of terms like 'disk' and 'drive' is often very liberal. LVM is very good but very daunting until you gain experience and a comfort level. Partition level encryption (see also TrueCrypt again) gives flexibility but that comes at a price - complexity and management. Encrypting the RootFS leads to the question of having a separate /boot and whether that is encrypted, and that is encrypted and what goes into the initrd, which gets into key management. Perhaps you should also look at LUKS - kernel level encryption. My personal opinion is that you have chosen to 'dive in the deep end'. Even though I have experince with encryption in other areas, if I was approaching this I'd experiment with non-critical, non-root, techniques first. -- "The wide world is all about you: you can fence yourselves in, but you cannot for ever fence it out." -- JRR Tolkien, -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org