On Tue, Dec 29, 2015 at 5:57 PM, Andrew Savchenko <birc...@gentoo.org> wrote: > > Though I see little point in whole / encryption. What is the > point to encrypt /usr, /lib, /bin, /sbin? Just do this > to /home, /var and other sensitive pieces. >
An obvious advantage is to prevent rootkits, at least while the system is not running under your control. Of course, you'd need to control the entire boot chain for that. If you just use grub to decrypt your boot partition then you're still vulnerable to the bootloader being tampered with. A hard drive password is indeed another approach, and that would protect against offline attacks as long as you trust the drive vendor. If you use UEFI or a TPM those also provide protection against tampering, but I've yet to hear of anybody actually accomplishing this on linux with a TPM. On windows full-disk encryption backed by a TPM is fairly common - I think it even supports it out of the box. For Linux you need to use trusted grub and enable support in your kernel and initramfs. I have no idea how hard that is to set up (basically you encrypt the disk and store the key in the TPM, and then the TPM only provides the key if the system is booted with the same bootloader+kernel+initramfs. I imagine kernel updates get tricky in such a design, but it has the advantage of being completely transparent to the user. -- Rich
