Re: LUKS-encrypted root and unencrypted /boot ?

unofficial mirror of help-guix@gnu.org 
 help / color / mirror / Atom feed

From: Benjamin Slade <beoram@gmail.com>
To: "Clément Lassieur" <clement@lassieur.org>
Cc: help-guix@gnu.org
Subject: Re: LUKS-encrypted root and unencrypted /boot ?
Date: Sat, 04 Aug 2018 15:14:15 -0600	[thread overview]
Message-ID: <87zhy125so.fsf@jnanam.net> (raw)
In-Reply-To: <87va8qi14v.fsf@lassieur.org>

 > > Thanks, I'll look into that. For the moment I've just switched to
 > > having an unencrypted root and encrypted /home partition (where the
 > > swapfile also lives),

 > > ...which seems to me better from a security standpoint (I can
 > > use --iter 500, sha512, &c. without an issue).

 > But it's easier put a malware in an unencrypted root ;)

That's true, but if someone has the time/access to be putting malware in
the unencrypted root of an GuixSD install (will they know to put things
in /gnu/store ?) they could also install physical keyloggers and so on
(perhaps more efficiently). So while I'd prefer to have the whole thing
encrypted, realistically I'm mainly protecting my personal data if it's
stolen/taken from me (as long it's off, that is).

--
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )

next prev parent reply	other threads:[~2018-08-04 21:14 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-01 18:59 LUKS-encrypted root and unencrypted /boot ? Benjamin Slade
2018-08-02  6:59 ` Clément Lassieur
2018-08-03 17:05   ` Benjamin Slade
2018-08-03 18:53     ` Clément Lassieur
2018-08-04 15:30       ` Benjamin Slade
2018-08-04 15:48         ` Clément Lassieur
2018-08-04 21:14           ` Benjamin Slade [this message]
2018-08-05  5:26         ` Chris Marusich
2018-08-02  8:24 ` Chris Marusich
2018-08-03 17:07   ` Benjamin Slade

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87zhy125so.fsf@jnanam.net \
    --to=beoram@gmail.com \
    --cc=clement@lassieur.org \
    --cc=help-guix@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).