On Wed, Sep 27, 2023 at 01:10:10AM +0200, Jean-Marc Saffroy wrote: > Hi, > > On Tue, Sep 26, 2023 at 10:00 PM Zdenek Kabelac > <zdenek.kabelac@xxxxxxxxx> wrote: > > Yep typical usage is to encrypt underlying PV - and then create LVs and its > > snapshots on encrypted device. > > Sure, I'd do that in other circumstances. > > But in my case it would just be a waste: I am replacing several disks > on a desktop computer with a single 2TB NVME SSD for everything. Only > /home needs to be encrypted, and it's tiny, like 100-200GB. Going > through encryption for most application I/Os would use CPU time and > increase latency with no benefit. "No benefit" depends on one's threat model. A surprising amount of sensitive data gets put outside of /home. For instance, SSH host keys are in /etc, and system daemons store their data in /var. That's why the standard is to encrypt the entire drive, except for /boot and /boot/efi. It's the only way to ensure that sensitive data doesn't wind up on the NVMe drive, from which it cannot be removed except by destroying or (cryptographically) securely erasing the drive. -- Sincerely, Demi Marie Obenour (she/her/hers) Invisible Things Lab
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ linux-lvm mailing list linux-lvm@xxxxxxxxxx https://listman.redhat.com/mailman/listinfo/linux-lvm read the LVM HOW-TO at http://tldp.org/HOWTO/LVM-HOWTO/
