On Mon, 11 May 2020 07:36:27 -0400 Greg Wooledge <wool...@eeg.ccf.org> wrote:
> On Sat, May 09, 2020 at 10:05:40PM -0700, Will Mengarini wrote: > > * Rick Thomas <rick.tho...@pobox.com> [20-05/09=Sa 20:05 -0700]: > > > [...] died for lack of space in /boot [...] > > > > Long ago I stopped bothering with a separate /boot, and behold, I yet > > live. ISTR the Debian installer doesn't default to creating one either. > > Unless you're doing some kind(s) of disk encryption. Which apparently is > a thing that some laptop users go for in a major way. And some desktop / server users. I'd rather not have to worry about the sensitive data on my disks when I decommission them / they fail. > As a non-laptop person, my understanding is that, at least with some > implementations of disk encryption, you need an UN-encrypted /boot to > get the whole thing started. After that, the root file system and any > other local file systems can be encrypted, and the code from /boot will > be able to prompt you for the passphrase or whatever. Yes. FDE including boot is doable, but it takes more work (and isn't necessarily worth it, depending on the threat model - see above): https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html Celejar
