Chris Murphy wrote:
Is it your position that encrypting ~/ alone is not an incremental
improvement? Are you suggesting it's necessary to assume Fedora
Workstation users are subject to targeted attacks? And therefore
install time default must encrypt /, /home, swap? And that this
targeted attack, that applies to everyone, does not include targeted
attacks on unencrypted /boot or the bootloader for reasons you refuse
to elaborate on?
Anaconda should encrypt /boot too. Calamares does it. GRUB supports
prompting for a LUKS passphrase and decrypting LUKS with it. LUKS 1 has been
supported by GRUB for a while (so Calamares still uses that for now), and
there is now a patchset under review for LUKS 2 support:
https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00000.html
Then (in the Calamares setup) the other partitions are unlocked
automatically using a keyfile residing on the encrypted /boot, so that the
user has to enter the passphrase only once (in GRUB).
Kevin Kofler