On 9/23/19 8:17 AM, Chris Murphy wrote:
My working assumption is that g-i-s and Users panel need to grow the
ability to present appropriate interface for per user encryption;
maybe that could be as simple as an "encrypt" checkbox at user
creation time, ticked by default.
1. How to handle Anaconda vs GNOME encryption features?
a. It's not apparent that the two offerings differ, how they differ,
that they can be combined, that combining them has consequences.
b. In the Installation Destination spoke, "Encrypt my data" is visible
and unchecked by default. It could be construed as user home only
encryption. It is, however, full disk encryption (minus /boot).
We should keep the recommendation towards FDE. It's too trivial to break
non-FDE setups, therefore I wouldn't change the function of this option.
c. If user chooses this option in the installer, now what? Do not
enable or even present the GNOME encryption features? Or double
encrypt?
I think the gnome encryption feature might should show up during the
initial setup dialog (where we setup online accounts). At this point the
home directory of the user doesn't contain any meaningful data and can
present them with a choice of "encrypt your home directory".
It would also safe the hassle of integrating it with Anaconda.
d. Alternatively, does it get renamed to better indicate it's
full
disk encryption? Or remove it entirely?
Removing it, seems like the worst option to me. Maybe rename it to
"encrypt disk".
2. Consequences of an fscrypt/ext4 only solution
a. Users choosing anything other than ext4 not only don't get user
home encrypted by default, they can't opt into what we're initially
proposing.
b. In some sense it diminishes the message that privacy of user data
is important, because it comes with a "only if you pick ext4" catch.
c. How would the user be informed of a & b (goes back to #1).
> 3. Upsides of fscrypt/ext4 only solution
a. Faster delivery than systemd-homed? (Is this certain?)
4. What about /home only encryption?
Doesn't make any sense to me. The reason to get a per-user encryption
sounds useful in order to reduce the leaking of user data when we have
multiple users per device. /home only encryption protects whom?
An attacker with access to the disk can install malware and put it in
auto start. So there is no real protection here. When we encrypt `/home`
we can encrypt the rest as well.
But feel free to share the thread model with me, where `/home`-only
encryption makes sense :)
[snip]
5. What about always using a /dev/urandom derived key at boot time
for swap?
Sounds like an idea.
--
Signed
Sheogorath
OpenPGP:
https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt