Dne St 2. dubna 2014 14:17:57, Carlos E. R. napsal(a):
On 2014-04-02 13:35, Vojtěch Zeisek wrote:
Dne St 2. dubna 2014 13:24:08, jdd napsal(a):
may be ask why use so many encrypted partitions? Specially why a system partition.
Well, of course, it would probably be enough to have only /home encrypted and /tmp as tmpfs in RAM. Swap is also not needed at all... Personal data would then be only on encrypted partition.
Actually, you do need to encrypt swap: it can contains copies of part of RAM, so "the bad guy" has access to those contents in clear if he gets his hands on the machine. The situation is worse with an hibernated machine, because the entire ram contents are in there. One of the things found in ram is precisely the disk password.
Of course, but with SSD disk and big RAM You don't need swap at all (well, there is discussion about it, but still). That is what I mean. No swap and temporary directories only in RAM.
Same thing goes for all the temporary spaces, which is the main reason to cipher the root filesystem. It may not be the case when using a tmpfs, but programs store many things in /var and /tmp which could perhaps give information to "the bad guys".
Remember that a tmpfs spills over to swap when needed, AFAIK)
Yes, but without swap partition and with /tmp in RAM it shouldn't be so risky. The problem is /var...
I could think of encrypted system partition with a pass and inside it scripts to open the other encrypted partitions with an other (or the same) passwd
Interesting. It should be possible. Just might be too hard to set it up...
Yes, that's one of the methods described some years ago by a user on the security mail list. That was before systemd.
Do You think it wouldn't work with systemd? V. -- Vojtěch Zeisek Komunita openSUSE GNU/Linuxu Community of the openSUSE GNU/Linux http://www.opensuse.org/ http://trapa.cz/