On Thu, Dec 5, 2019 at 4:03 AM Marius Schwarz <fedoradev(a)cloud-foo.de> wrote:
With FDE running and "Suspend-to-disk" selected in your
screensafer
settings, you get asked for your password on hw wakeup before your
system gets back running. If someone wants to use such things, he
already can.
FDE depends on initramfs and plymouth to present the UI for volume
unlock passphrase. That stack is limited, and presents numerous UI/UX,
a11y, i18n, and other problems , that must be considered in the
evaluation to enable it by default. And that is the context, how to
better secure user data by default. The mandate is not to make it
perfect. It's to do better.
Where is the advantage of homed, considering, that only encrypting
/home, is a major security flaw by itself. All your goals are already
there and it's more useful and secure too :) I really have a problem
understanding why you wanne implement a security flaw and call it "better".
Please read "LUKS by default"
https://pagure.io/fedora-workstation/issue/82
If you read the whole thing, you should come to understand why the
initial agreement to implement full disk encryption was suspended, and
also that this issue has a history proving it is being taken seriously
and deliberately.
--
Chris Murphy