On Thu, Dec 6, 2018 at 11:05 PM, Chris Murphy <lists(a)colorremedies.com>
wrote:
Gotcha - thanks. Yes that makes complete sense for the iot,
embedded,
kiosk use cases.
Use cases which are not of any interest to Workstation. :P Of course
Workstation is a product for consumer desktops and laptops. And the
security model for disk encryption is lost or stolen laptop (or
unauthorized physical access to desktop).
But most of / is not sensitive data on Workstation. We are only
concerned with encrypting possibly-sensitive data. That's /home, /tmp
(tmpfs, no worries there), portions of /var, maybe bits of /etc, and
swap. We don't necessarily need to encrypt the whole thing with a
passphrase like our current LUKS setup. Giving up on /etc is probably
reasonable as we don't need to have perfect security, just good enough
security. But stuff like system journal in /var could be problematic.
Michael