On Mon, Dec 2, 2019 at 11:58 PM John M. Harris Jr <johnmh@xxxxxxxxxxxxx> wrote: > > On Monday, December 2, 2019 12:46:30 PM MST Chris Murphy wrote: > > It's almost 2020, and I shouldn't have to pick and choose between > > remote access and securing user data at rest by default. > > You don't have to. Data at rest would mean that your system is powered off, or > suspended to disk. You can have that now with full disk encryption, just as I > do. Depending on your system, you can actually encrypt the entire disk such > that you don't even have a partition table. I do this with my X200 Tablet, > where GRUB is loaded from flash, which decrypts my disk, and then mounts ZFS > mountpoints, swaps on a ZFS zdev. OK you just took a 90 degree turn, detouring the line of discussion, which was your premise that systemd-homed is pointless if the user can't ssh into it. There is no difference between a systemd-homed encrypted user home, and FDE, in this respect. Someone must type in a passphrase to unlock the volume that contains the user home you want access to it with ssh, in both cases. In your case you have to physically type that passphrase when you startup, at plymouth. In the systemd-homed case, login and crypto home unlock are tied together. I actually prefer the idea that'd if I'm not logged in, my data is considered at rest and crypto home is locked, in contrast to how FDE does it which treats my data as not at rest even though I'm not logged in at all. Trying to get back on track with this thread though, if systemd-homed is available by the time startup reaches rescue.target, does this somewhat confuse the distinction of whatever multi-user.target is, which would then rather be more like manyservices.target in contrast to fewservices.target? I also don't know if systemd-homed is simple enough that it's a good idea to make it available by rescue.target. But then, also what about emergency.target which is even more rudimentary and likewise requires root? systemd.debug-shell=1 does provide a root shell on tty9, by the time rescue.target is reached. And in that shell I can extract rdsosreport.txt or a full journal among other things, and get running again. It's admittedly obscure knowledge though. -- Chris Murphy _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
