On Fri, 2006-03-24 at 17:50 +0100, Karel Zak wrote: > On Thu, Mar 23, 2006 at 09:31:19AM -0500, Daniel J Walsh wrote: > > Laptops have becoming the standard machine for people, replacing the > > desktop. We need to consider defaulting FC6 with encrypted filesystem > > or at least homedirs out of the box. This should be a key feature of FC6. > > I don't think that encrypted filesystem is a good way. I think better > idea is support for encrypted devices (partitions). It's solution > independent on filesystem and it's useful for swaps too. For more > details see cryptsetup-luks and dm-crypt. The problem is that encrypting block devices in a user-friendly fashion kind of sucks. * Encrypting the rootfs's block device sucks as you need to be able to get a passphrase or whatever at boot-time before you have X (... and thus can display the proper fonts) and before you have a sane keyboard map. * You don't want an encryption that's global across all of /home, you really want to encrypt each user's home directory separately so that they can access their own stuff without needing any sort of admin access. But you don't want to require a separate block device per user as this is an administration nightmare. For some cases (eg, swap, removable devices), block device level can make a lot of sense. But for things like home directories, it kind of sucks. :-/ Jeremy
