Chris Murphy wrote:
> Is it your position that encrypting ~/ alone is not an incremental
> improvement? Are you suggesting it's necessary to assume Fedora
> Workstation users are subject to targeted attacks? And therefore
> install time default must encrypt /, /home, swap? And that this
> targeted attack, that applies to everyone, does not include targeted
> attacks on unencrypted /boot or the bootloader for reasons you refuse
> to elaborate on?

Anaconda should encrypt /boot too. Calamares does it. GRUB supports 
prompting for a LUKS passphrase and decrypting LUKS with it. LUKS 1 has been 
supported by GRUB for a while (so Calamares still uses that for now), and 
there is now a patchset under review for LUKS 2 support:
https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00000.html

Then (in the Calamares setup) the other partitions are unlocked 
automatically using a keyfile residing on the encrypted /boot, so that the 
user has to enter the passphrase only once (in GRUB).

        Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org

Reply via email to