-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, Aug 14, 2017 at 11:27:00AM +0200, Nicolas George wrote: > Hi. > > I have been using LUKS to encrypt part of my system, with a rather > unusual setup, and I would like to ask for advice on making it more > standard without sacrificing my requirements.
[...] > - The system partitions are not encrypted. The partitions containing > personal data are encrypted using LUKS. I tend to the other extreme: everything (save /boot) is encrypted, as one big (physical, in the LVM sense) volume. Partitions whithin it are logical (LVM) volumes. Yes, that's more or less the standard Debian way. Among other things this gives me peace of mind about (copies of) sensitive data hanging around /var (/var/lib/postgresql, for example, has a copy of my banking transactions history somewhere). This brings the "LUKS question" to the earliest point, namely when trying to mount /. Now SSH... to fulfill that in this setting, the initramfs must have some ssh server capability. I've heard that you can bake in dropbear SSH in the initramfs, which sounds pretty elegant. Never tried, though. Downside would be that now you've got *two* sshd instances to take care of, security-wise. No idea about how (or whether) that interacts with systemd (and honestly, not very keen on finding out :) Perhaps you knew all of this, but perhaps this gives you some ideas. Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlmReqIACgkQBcgs9XrR2kb9igCZASe/htbyVdUGTjU3GzSS2tL4 ougAnA6rwQGe9EPJshxhFsraDfOAMDiT =R3Jm -----END PGP SIGNATURE-----
