On Do, 05.12.19 00:40, Marius Schwarz (fedoradev@xxxxxxxxxxxx) wrote: > Am 04.12.19 um 02:02 schrieb Chris Murphy: > > Anaconda custom partitioning has a per mount point encryption option. > > I can LUKS encrypt only the volume mounted at /home. And if I do this, > If you do this, someone can manipulate your system to trojan horse your > passwords, > when he has physical access to it. > > Full-Diskencryption ( /boot included ) is the only way to protect the > system itself. > Anything else is simply not secure. Uh, first of all plain full disk encryption like we set it up typically on Fedora provides confidentiality, not integrity. For the OS image itself you want integrity though, confidentiality is not needed (after all anyone can download Fedora from the Internet, everyone knows all the bits and bytes in it anyway, it's inherently public information, there's zero point in encrypting it). Unless you combine dm-crypt with dm-integrity (which we currently generally do not do), or you use dm-verity you are not actually protecting the OS from undetected modification. And there's no point in encrypting /boot, because that contains only public information too. If you want to protect your boot chain, use something like a complete SecureBoot chain, but that too is something we currently don't actually support on Fedora. (because initrds are not verified). Anyway, figure out your threat model, and figure out how you want to protect what, and understand that for different parts of the installation different rules apply. And yes, I think encrypting the home directory with the user's own password makes most sense. Lennart -- Lennart Poettering, Berlin _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
