On 8/30/19 1:00 PM, Carlos E. R. wrote:
That makes me wonder about the benefits of the random key. If you are using encrypted swap, you probably are also using encrypted root and data partitions.
That's not necessarily true.
Before I retired, I had a work computer that I wanted to be able to boot/reboot unattended. That means that an encryption key cannot be provided during boot.
I see. Maybe the encryption key could be downloaded via network, using initrd. Just a wild idea. If the machine or its disks are stolen, they can not decrypt them.
I set it up to use an encrypted home directory (with "ecryptfs"). But ecryptfs can use swap, so I also used randomly encrypted swap. It worked pretty well. I did not need to be there for it to be booted. But, of course, I was there if I logged into it, so I could handle crypto for the HOME directory. Actually, I could do that via ssh and a command line login. I made sure that "$HOME/.ssh" was available whether or not the home directory was decrypted. I logged in with ssh and public key authentication. Then I used "ecryptfs-mount-private" to make the encrypted home directory visible, providing the login key of the ssh session.
-- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)