Mailinglist Archive: opensuse-factory (355 mails)

< Previous Next >
Re: [opensuse-factory] TW partitioning propsal swap
  • From: Axel Braun <axel.braun@xxxxxx>
  • Date: Mon, 09 Mar 2020 18:28:40 +0100
  • Message-id: <2331864.FtCFghYZsp@southpole>
Hello Radoslaw,

Am Montag, 9. März 2020, 18:06:57 CET schrieb Radosław Wyrzykowski:
On niedziela, 8 marca 2020 19:49:43 CET Christian Boltz wrote:
Hello,

Am Sonntag, 8. März 2020, 17:19:19 CET schrieb Axel Braun:
Hm, guided setup encrypts root partition AND swap. Not sure if this is
a good idea....

It is.

If you are paranoid enough to encrypt your root partition (you should!),
then you don't want to have parts of your RAM (like open documents or in
worst case your disk encryption key) swapped out to unencrypted swap

This is somewhat similar to the discussion if you really need to encrypt
the root partition, or if encrypting /home is good enough. IMHO it
isn't, because for example files in /tmp/ can also contain sensitive
data which you don't want to have unencrypted. For example, when you
click a PDF attached to a mail in KMail, it will get stored in /tmp/
before it gets opened.


Sidenote: I have no idea if suspend to disk works with encrypted swap -
I don't have any swap to test.

It does work very well on my ThinkPad T440. I have my root and swap
partitions encrypted with LUKS. The root partition includes /boot, so I use
GRUB to decrypt it and keep a key in the initramfs so I don't have to put
in the passphrase twice (I followed the guide at https://en.opensuse.org/
SDB:Encrypted_root_file_system). I haven't had any problems with that
setup, but that, of course, depends on your machine.

Thanks for sharing this. I had used the setup with the key in initramfs as
well, but in this case - root and swap encrypted - it doubled the time at
startup to about 40s!
Although reboot is not a very frequent thing - uptime on the laptop mostly
between 7 and 14 days - this long waiting period is quite annoying.
Lets see if some new insights come along, if not, I will probably go again for
a separate, encrypted /home partition, as before.
(But this is OT for this thread ;-)
Cheers
Axel



--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >