On Tue, Apr 28, 2020 at 03:51:57PM -0400, Simo Sorce wrote: > If the threat model is just stolen/lost laptop/disk then encrypting the > user data only would be sufficient.
Strictly speaking I'd say /etc/shadow, /var/lib/{pgsql,mysql}/,
/etc/sysconfig/network-scripts/ and /etc/NetworkManager/ are
also quite likely to contain user data - the first as a
bruteforce-target, the second as these are quite often installed on dev
machines (in my experience), and the others as they often contain
passwords in plaintext, which may be even more critical as the actual
user data.
I'd say there is no way around full disk encryption, maybe lifting the
hard restriction on not having double encryption might be an option, but
I don't have any performance data on that.
All the best,
David
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
