On Wed, Dec 4, 2019 at 4:41 PM Marius Schwarz <fedoradev(a)cloud-foo.de> wrote:
Am 04.12.19 um 02:02 schrieb Chris Murphy:
> Anaconda custom partitioning has a per mount point encryption option.
> I can LUKS encrypt only the volume mounted at /home. And if I do this,
If you do this, someone can manipulate your system to trojan horse your
passwords,
when he has physical access to it.
Full-Diskencryption ( /boot included ) is the only way to protect the
system itself.
Anything else is simply not secure.
systemd-homed doesn't depend on /etc/passwd or /etc/shadow for
authentication. By all means its security guarantees should be
evaluated.
https://github.com/systemd/systemd/pull/14096
What you're talking about is entirely up to the user to configure
manually. Fedora installations today don't support bootloader lock
down, encrypted /boot, or purging the LUKS key from memory during
suspend, out of the box. And therefore I'm not sure what your goal
posts are, what two things you're comparing.
--
Chris Murphy