On Mon, Dec 09, 2019 at 09:25:06PM -0700, Chris Murphy wrote:
The installer doesn't support such a configuration. No portion of
the
bootloader nor the boot volume, can be encrypted.
I do consider this a bug, but as there is no stable solution for that
right now we can't just "fix it".
While the hibernation image could be encrypted, it's not by
default.
So where's your pre-existing complaint and feature request that this
should have been enabled by default a long time ago? Why are you only
complaining about things when people have a proposal that doesn't
align with what you want, almost as if you just want to argue for the
sake of arguing?
There is no need for a pre-existing complaint - if there is some new
proposal coming up and someone sees a fundamental flaw that does not
automatically make the person pointing that out responsible for fixing
the issue the proposal tries to fix.
A proposed fix for an issue is only good if it fixes more stuff than it
breaks - and the opinions about this seem to diverge for now.
There is always the option "let us just try it and see what happens",
but as it covers a very sensitive area there is a natural tendency to
being more careful about introducing change than usual.
What's on the table in the near future is encrypting ~/ by
default.
And somehow because that's not good enough, in your view, you want to
shitcan encrypting ~/ at all, while waiting for a perfect solution?
How is that even remotely logical?
This is quite dangerous to do without encryption of the whole disk. That
would break a lot of user expectations if not properly communicated.
If encrypting ~/ also entails full disk encryption that would be okay,
but not separately.
Not meeting user expectations when it comes to security *always* leads
to bad things.
Some examples:
User expects no encryption, as they did not select anything regarding
encryption or did not select full disk encryption:
- Something breaks the system, they try to restore it and now they can't
access their data anymore.
User does expect encryption, but it's not labelled as encryption for ~/
only - and therefor only ~/ is encrypted:
- User stores data somewhere else than in /home (e.g. sensitive internal
programs in /opt or /usr/local, secrets/keys/vpn-keys/.. in /etc) ->
on device loss that user might still think the data is safe anyway, as
they think it is encrypted
- Attacker scenario: there is physical access to the device for a few
minutes - installing a trojan is super easy to be done in <10 minutes,
without the need for any tool, writing the trojan on site.
Having the full disk encrypted at least moves this to either about
half an hour to one hour and having a live-usb-stick ready or to
having a trojan ready anyways.
So please be careful in case this feature gets introduced, as "less than
expected security" is usually worse than "less security". Wording in the
installer is super critical in regard to ~/ only encryption.
All the best,
David