On Mon, 11 May 2020 11:21:35 -0500 David Wright <deb...@lionunicorn.co.uk> wrote:
> On Mon 11 May 2020 at 10:27:48 (-0400), Celejar wrote: ... > > Yes. FDE including boot is doable, but it takes more work (and isn't > > necessarily worth it, depending on the threat model - see above): > > I don't encrypt root because it's far too useful to be able to remotely > boot up. To keep things simple, I set up my laptops similarly, except > that unlocking is earlier, in the boot sequence rather than after the > system is fully up. Well, I currently don't encrypt /boot, but since I'm anyway using the iDRAC console to supply the LUKS password, I suppose it wouldn't actually be *that* much more difficult to encrypt the entire disk and boot from virtual media over iDRAC: https://www.dell.com/support/article/en-us/sln296648/using-the-virtual-media-function-on-idrac-6-7-8-and-9 Celejar
