On Mon, Sep 23, 2019 at 10:07 AM Anderson, Charles R. <cra@xxxxxxx> wrote: > > On Mon, Sep 23, 2019 at 09:29:42AM -0600, Chris Murphy wrote: > > > On Mon, Sep 23, 2019 at 4:36 pm, Sheogorath > > > <sheogorath@xxxxxxxxxxxxxxxxxxx> wrote: > > > > Doesn't make any sense to me. The reason to get a per-user encryption > > > > sounds useful in order to reduce the leaking of user data when we have > > > > multiple users per device. /home only encryption protects whom? > > > > It protects the users from 3rd parties. If POSIX permissions are > > inadequate separation between users (and I agree that it could be), > > then only encrypting user home directories is also inadequate. There > > are ample attack vectors that remain to anyone with physical access. > > > > > > > > An attacker with access to the disk can install malware and put it in > > > > auto start. So there is no real protection here. When we encrypt > > > > `/home` > > > > we can encrypt the rest as well. > > > > The attacker can just as straightforwardly inject malware into the > > initramfs. In the present Anaconda full disk encryption model, which > > the encryption subgroup prefers to avoid for various UI/Ux reasons > > including limited a11y, i18n functionality, the /boot volume is not > > encrypted. > > How about integrating with OPAL SSD/HDD hardware encryption? The sedutil tool is in Fedora. This would encrypt /boot too. It's a good question. Quite a lot of consumer SSD hardware these days is actually OPAL 2.0 compliant, with always on encryption happening, it's just that out of the box it's unlocked so it appears unencrypted all the time (whereas the encoding on the media is actually ciphertext, including the bootloader, partition map, etc). And because of this, there's no performance penalty for this form of cryptographically secure storage. Problems: - Keep the SED's DEK or reset it? What's the default? Offer the user a choice? - Dual boot complication. If you reset the SED's DEK, it means a complete wipe of the drive, now your next step is to reinstall Windows or macOS. Before installing Fedora. And then restoring your user home from backup. - I'm not certain to what degree Apple hardware can deal with this. - How common are OPAL 2.0 drives? What percent of users would be left out? Yes it's possible to have a fallback scenario but that's actually two projects rather than one project. Resources suggest we get to pick one project. If the fallback position covers all the use cases, then that should actually be the primary project, not the fallback, where SED becomes an option if resources allow. - I'm pretty sure sedutil requires kernel param libata.allow_tpm=1 which suggests a TPM is a hard requirement? -- Chris Murphy _______________________________________________ desktop mailing list -- desktop@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to desktop-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/desktop@xxxxxxxxxxxxxxxxxxxxxxx
