On Wed, Dec 14, 2011 at 10:43:38PM +0100, J.A. Bezemer wrote: > > On Wed, 14 Dec 2011, Roger Leigh wrote: > > [..] > >The same argument applies to encryption. / and /usr both contain a > >selection of programs, libraries etc. If you're encrypting one, why > >would you not encrypt all of it? > > Speed. [...] > encrypted. But this actually does _not_ slow things down: the Linux > disk cache is sensibly caching the decrypted data, so often-used > stuff from /bin and /lib happily remains in already-decrypted cache. > The interesting stuff from /usr is generally too large and too > seldomly used to remain cached.
This was brought up last time this came up on -devel. And I think it kind of misses the point. You are encrypting / and not encrypting /usr. That's fine. But it's a workaround. It's not addressing the *real* goal, which is to encrypt /etc. That is to say, /usr is a split of /convenience/. The real solution would be to have /etc as a separately-mounted encrypted filesystem. So really, keeping /usr separate is a different issue, IMHO. This isn't a reason to keep the /usr split, it's a reason to support mounting an encrypted /etc in the initramfs. Such a solution would also satisfy those that want a read-only root but writable /etc for admin convenience. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111215124640.gg17...@codelibre.net
