On Mon, Sep 23, 2019 at 09:29:42AM -0600, Chris Murphy wrote: > > On Mon, Sep 23, 2019 at 4:36 pm, Sheogorath > > <sheogorath@xxxxxxxxxxxxxxxxxxx> wrote: > > > Doesn't make any sense to me. The reason to get a per-user encryption > > > sounds useful in order to reduce the leaking of user data when we have > > > multiple users per device. /home only encryption protects whom? > > It protects the users from 3rd parties. If POSIX permissions are > inadequate separation between users (and I agree that it could be), > then only encrypting user home directories is also inadequate. There > are ample attack vectors that remain to anyone with physical access. > > > > > An attacker with access to the disk can install malware and put it in > > > auto start. So there is no real protection here. When we encrypt > > > `/home` > > > we can encrypt the rest as well. > > The attacker can just as straightforwardly inject malware into the > initramfs. In the present Anaconda full disk encryption model, which > the encryption subgroup prefers to avoid for various UI/Ux reasons > including limited a11y, i18n functionality, the /boot volume is not > encrypted. How about integrating with OPAL SSD/HDD hardware encryption? The sedutil tool is in Fedora. This would encrypt /boot too. _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
