Hi. I have been using LUKS to encrypt part of my system, with a rather unusual setup, and I would like to ask for advice on making it more standard without sacrificing my requirements.
My requirements are: - Protect me from casual invasions of my privacy in case the computer were stolen. - Being able to unlock the system remotely through SSH. - Minimize the duration of the second-longest interval between required manual operation during boot. Which translate in practice by: minimize the time between the first interaction I must have with Linux and the moment I have an usable session. - Minimize the number of keystrokes required during boot. The second point requires an explanation. Like many people, in the morning I switch on this computer with the following sequence: start the boot, go take care of physiological needs, finish the boot. During the longest part of the boot, I am somewhere else, hence my focus on the second longest part. Since the duration of the POST is incompressible, the longest part of the boot is usually the time between pressing the power button and the first interaction required by Linux. My current solution to achieve this consists in the following steps: - The system partitions are not encrypted. The partitions containing personal data are encrypted using LUKS. - I have a shell script that asks me for the passphrase once and uses it to unlock all the partitions, and I have configured sudo to be able to run that script without authentication. - I have a minimalistic home on the system partition with a SSH key that allows me to log in, and a shell startup file that automatically runs the shell script to unlock. - I also have an user with an empty password whose login shell is a script that invokes the shell script to unlock. - I have configured systemd to only launch xdm when the partitions have been unlocked. With the following scheme, the system boots fully automatically and becomes functional, except the personal data is not mounted. I can log in through SSH and unlock and mount it. Or I can log in on the text console to unlock and mount it, and then wait a few seconds for xdm to start. It all works rather well, but I wonder if there are more supported ways of achieving the same result. Regards, -- Nicolas George
