Mailinglist Archive: opensuse-factory (355 mails)

< Previous Next >
Re: [opensuse-factory] Will openSUSE adopt systemd-homed?
Is embedding the keyfile in initrd not an option for full-disk encryption to
avoid entering the password twice?

I also remember reading that LUKS2 in GRUB [1] should help with the double
password entry, too, but maybe I remember incorrectly, because I cannot find
the information now.

[1]
https://git.savannah.gnu.org/cgit/grub.git/commit/?id=365e0cc3e7e44151c14dd29514c2f870b49f9755

Best regards

Lukas Kucharczyk

________________________________________
From: Axel Braun <axel.braun@xxxxxx>
Sent: Wednesday, March 18, 2020 10:00 AM
To: opensuse-factory@xxxxxxxxxxxx
Subject: Re: [opensuse-factory] Will openSUSE adopt systemd-homed?

Am Mittwoch, 18. März 2020, 09:31:01 CET schrieb Ludwig Nussel:
Am 17.03.20 um 20:57 schrieb Axel Braun:
[...]
I never got why to encrypt just disk when there are bunch of data leaking
via /tmp.

https://bugzilla.opensuse.org/show_bug.cgi?id=1166005 is a good reason

to just

encrypt /home

You can put /boot back on a separate partition. That way you still
have everything except kernel and initrd encrypted so accidental
data leak via tmp or swap is still prevented. There was a decision in
an unfortunately private SLE feature request some years ago
(https://fate.suse.com/320215) to ignore the inconveniences of /boot
on / in favor of working snapshots unfortunately.

As Neil Rickert pointed out in between in the above bugreport, /boot on a
separate (unencrypted) partition is not recommended together with btrfs.
So looks like one can have an encrypted root partition AND btrfs AND 20s get-
the-coffee time on each boot, or separate /boot, encrypted root w/o btrfs (and
roolback) and a quick boot time.
Considering the fact that booting happens only every couple of days this might
still be acceptable

Cheers
Axel

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >