Chris Murphy wrote: > Is it your position that encrypting ~/ alone is not an incremental > improvement? Are you suggesting it's necessary to assume Fedora > Workstation users are subject to targeted attacks? And therefore > install time default must encrypt /, /home, swap? And that this > targeted attack, that applies to everyone, does not include targeted > attacks on unencrypted /boot or the bootloader for reasons you refuse > to elaborate on?
Anaconda should encrypt /boot too. Calamares does it. GRUB supports prompting for a LUKS passphrase and decrypting LUKS with it. LUKS 1 has been supported by GRUB for a while (so Calamares still uses that for now), and there is now a patchset under review for LUKS 2 support: https://lists.gnu.org/archive/html/grub-devel/2019-11/msg00000.html Then (in the Calamares setup) the other partitions are unlocked automatically using a keyfile residing on the encrypted /boot, so that the user has to enter the passphrase only once (in GRUB). Kevin Kofler _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
