On 12/3/19 1:57 AM, John M. Harris Jr wrote:
On Monday, December 2, 2019 12:46:30 PM MST Chris Murphy wrote:
It's almost 2020, and I shouldn't have to pick and choose between
remote access and securing user data at rest by default.
You don't have to. Data at rest would mean that your system is powered off, or
suspended to disk. You can have that now with full disk encryption, just as I
do. Depending on your system, you can actually encrypt the entire disk such
that you don't even have a partition table. I do this with my X200 Tablet,
where GRUB is loaded from flash, which decrypts my disk, and then mounts ZFS
mountpoints, swaps on a ZFS zdev.
I think Chris is referring to the fact that you have to be there when
the encrypted system is restarted, to type the decryption key/password.
The dilemma is this: if the decryption is automatic, it doesn't really
protect the data at rest, because the boot process is not secured like
it is on Android or IOS, and therefore the intruders could get in and
access the now-unencrypted disk.
It is conceivable to set up some sort of location-based decryption,
where you would not have to give the password if the system is on a
known network, authenticating through a trusted interface to a known
host, but it's not a solved problem.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
