From mboxrd@z Thu Jan  1 00:00:00 1970
From: Benjamin Slade <beoram@gmail.com>
Subject: Re: LUKS-encrypted root and unencrypted /boot ?
Date: Sat, 04 Aug 2018 15:14:15 -0600
Message-ID: <87zhy125so.fsf@jnanam.net>
References: <87in4tgbg4.fsf@jnanam.net> <87effh8d94.fsf@lassieur.org>
	<87a7q3fkji.fsf@jnanam.net> <878t5n8eob.fsf@lassieur.org>
	<87effef8u3.fsf@jnanam.net> <87va8qi14v.fsf@lassieur.org>
Mime-Version: 1.0
Content-Type: text/plain
Return-path: <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:46186)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <beoram@gmail.com>) id 1fm3sQ-0005ph-7d
	for help-guix@gnu.org; Sat, 04 Aug 2018 17:14:19 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <beoram@gmail.com>) id 1fm3sN-00067I-2o
	for help-guix@gnu.org; Sat, 04 Aug 2018 17:14:18 -0400
Received: from mail-it0-x242.google.com ([2607:f8b0:4001:c0b::242]:34635)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <beoram@gmail.com>) id 1fm3sM-00066a-VA
	for help-guix@gnu.org; Sat, 04 Aug 2018 17:14:15 -0400
Received: by mail-it0-x242.google.com with SMTP id d70-v6so8735118ith.1
	for <help-guix@gnu.org>; Sat, 04 Aug 2018 14:14:14 -0700 (PDT)
In-reply-to: <87va8qi14v.fsf@lassieur.org>
List-Id: <help-guix.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/help-guix/>
List-Post: <mailto:help-guix@gnu.org>
List-Help: <mailto:help-guix-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-guix>,
	<mailto:help-guix-request@gnu.org?subject=subscribe>
Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org
Sender: "Help-Guix" <help-guix-bounces+gcggh-help-guix=m.gmane.org@gnu.org>
To: =?utf-8?Q?Cl=C3=A9ment?= Lassieur <clement@lassieur.org>
Cc: help-guix@gnu.org

 > > Thanks, I'll look into that. For the moment I've just switched to
 > > having an unencrypted root and encrypted /home partition (where the
 > > swapfile also lives),

 > > ...which seems to me better from a security standpoint (I can
 > > use --iter 500, sha512, &c. without an issue).

 > But it's easier put a malware in an unencrypted root ;)

That's true, but if someone has the time/access to be putting malware in
the unencrypted root of an GuixSD install (will they know to put things
in /gnu/store ?) they could also install physical keyloggers and so on
(perhaps more efficiently). So while I'd prefer to have the whole thing
encrypted, realistically I'm mainly protecting my personal data if it's
stolen/taken from me (as long it's off, that is).

--
Benjamin Slade - https://babbagefiles.xyz
  `(pgp_fp: ,(21BA 2AE1 28F6 DF36 110A 0E9C A320 BBE8 2B52 EE19))
    '(sent by mu4e on Emacs running under GNU/Linux . https://gnu.org )
       `(Choose Linux ,(Choose Freedom) . https://linux.com )