On Mon, 2014-03-03 at 08:00 -0500, Stephen Gallagher wrote:
I'd actually be slightly in favor of leaving encryption support to the custom path, for several reasons:
I am not reasons inline.
- Encrypting a filesystem means that startup/reboot cannot be handled
unattended. Someone will need to provide a password (or insert security device, etc.)
This is true, and should be made clear at install time, but I think we should still encourage people to do encryption by prominently asking if they want it.
- Servers in the "pets" category tend to remain running all the time.
Encryption is only useful when the drive has been removed from the machine.
Which is common, I had raid disk fail in colocation. When they change a disk for me I have no freaking idea what they are going to do with them. The disk is not necessarily completely dead. It may just fail in writing but be perfectly accessible for reading. People should have prayers as the only recourse when a disk fail and some stranger gets in possession of the old disk.
2b) Even if the drive is encrypted only for theft protection, in order to accomplish unattended install, the admin will have to customize the mechanism they use to provide the decryption key, in which case they're likely doing a custom install of the filesystem anyway.
I think we could put encryption keys in the boot partition. Then have a *decommission* command that will wipe the boot. The rest of the disk is encrypted with a lost key at this point and unreadable.
If the /boot is on a totally different disk, you do not even need the wipe step.
- While much less so than it once was, encryption requires CPU time
to be used on I/O, which is often wasteful in a server environment.
It is often marginal given the CPUs we have today. If you have a heavy I/O bound load then the CPUs are almost always idling wait for data to be written/read from platters anyway. With CPUs having AESNI instructions, this is really not a concern anymore in most cases. (ARM 32 may be an exception to this rule)
So I'd suggest that Fedora Server recommends the use of LUKS for disk encryption and makes it available in the custom configuration path only.
Thoughts?
See above, I think we should encourage the use of encryption and test it as a common deployment scenario.
Simo.