Am 06.12.19 um 23:22 schrieb Chris Murphy: > > Is it your position that encrypting ~/ alone is not an incremental > improvement? Are you suggesting it's necessary to assume Fedora > Workstation users are subject to targeted attacks? And therefore > install time default must encrypt /, /home, swap? And that this > targeted attack, that applies to everyone, does not include targeted > attacks on unencrypted /boot or the bootloader for reasons you refuse > to elaborate on? And you propose that users should have to opt out of > this, rather than opt in? If the drive stays stolen, it does no longer matter if the entire system got changed or not, you never will see your drive again anyway. But, in the case your laptop is running, and an attacker can manipulate the os, the moment you relogin, you lost everything. That would not happen, if the drive is powered down, as the os is untamperable in that moment. /boot,bootloader and bios can be removed, by swapping the hw the drive resides in. As the owner of a device, you will know if someone did it when you where on the toilet ;) and to make it that hard to trick someone, /boot, bios and bootloader should also be protected :) That forces the attacker to use a level of effort, it's easier to just shoot you while the drive is unlocked. best regards, Marius _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
