Michał Górny schrieb: >> If you have / encrypted, then you can leave /usr unencrypted as it >> contains no secrets. > > That's doing things upside-down. You should encrypt the data needing > encryption, not the other way. This usually means /home which is > separate more often than /usr.
That is precisely what is done here. On a typical system I assume that secrets can be in /etc, /home and /var. Encrypting /usr might not give you a security gain and just consume resources. >> Also /usr can remain mounted read-only most of the time, so there is >> a reduced chance of accidental corruption. I don't know the number of >> users who might want this, and I imagine it is difficult to count >> them. > > Is this actually possible now? Last time I tried doing things like this > X11 failed to set keyboard mappings trying to store compiled ones > in /usr. I have not seen any machine running X have read-only /usr yet. Maybe it is something that could be investigated. If I have time, I'll experiment what happens when I do a read-only bind-mount of /usr on itself. >> If you say that /usr must be on the same filesystem as /, then there >> is no real reason to not just make a symlink /usr -> . > > That's a joke, right? There are folks who seriously take this into consideration. I don't necessarily agree with them, though. Best regards, Chí-Thanh Christopher Nguyễn
