On 9/23/19 8:17 AM, Chris Murphy wrote: > My working assumption is that g-i-s and Users panel need to grow the > ability to present appropriate interface for per user encryption; > maybe that could be as simple as an "encrypt" checkbox at user > creation time, ticked by default. > > > 1. How to handle Anaconda vs GNOME encryption features? > a. It's not apparent that the two offerings differ, how they differ, > that they can be combined, that combining them has consequences. > b. In the Installation Destination spoke, "Encrypt my data" is visible > and unchecked by default. It could be construed as user home only > encryption. It is, however, full disk encryption (minus /boot). We should keep the recommendation towards FDE. It's too trivial to break non-FDE setups, therefore I wouldn't change the function of this option. > c. If user chooses this option in the installer, now what? Do not > enable or even present the GNOME encryption features? Or double > encrypt? I think the gnome encryption feature might should show up during the initial setup dialog (where we setup online accounts). At this point the home directory of the user doesn't contain any meaningful data and can present them with a choice of "encrypt your home directory". It would also safe the hassle of integrating it with Anaconda. > d. Alternatively, does it get renamed to better indicate it's full > disk encryption? Or remove it entirely? > Removing it, seems like the worst option to me. Maybe rename it to "encrypt disk". > 2. Consequences of an fscrypt/ext4 only solution > a. Users choosing anything other than ext4 not only don't get user > home encrypted by default, they can't opt into what we're initially > proposing. > b. In some sense it diminishes the message that privacy of user data > is important, because it comes with a "only if you pick ext4" catch. > c. How would the user be informed of a & b (goes back to #1). >> 3. Upsides of fscrypt/ext4 only solution > a. Faster delivery than systemd-homed? (Is this certain?) > > 4. What about /home only encryption? Doesn't make any sense to me. The reason to get a per-user encryption sounds useful in order to reduce the leaking of user data when we have multiple users per device. /home only encryption protects whom? An attacker with access to the disk can install malware and put it in auto start. So there is no real protection here. When we encrypt `/home` we can encrypt the rest as well. But feel free to share the thread model with me, where `/home`-only encryption makes sense :) > [snip] > 5. What about always using a /dev/urandom derived key at boot time for swap? > Sounds like an idea. -- Signed Sheogorath OpenPGP: https://shivering-isles.com/openpgp/0xFCB98C2A3EC6F601.txt
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
