Bug#743058: rationale

To: 743058@bugs.debian.org
Subject: Bug#743058: rationale
From: Richard Starkey <nobody@ringo.jpunix.net>
Date: Mon, 28 Apr 2014 14:26:21 -0400 (EDT)
Message-id: <[🔎] d31e92dc8cd21c0d2ad1cb8a1a42b0eb@ringo.jpunix.net>
Reply-to: Richard Starkey <nobody@ringo.jpunix.net>, 743058@bugs.debian.org

> As a cherry on top of this cake, we would also be very happy to
> understand why a non crypted swap device on an hardware-encrypted
> disk is good enough while it is not for other partitions.

Every partition can potentially have different security requirements.
Software encryption is useful for compartmentalization.

Hardware FDE may alone be suitable for some partitions, which may have
no additional software encryption.  While other partitions have
varying degrees of sensitivity.  A very sensitive partition is
unmounted most of the time, and mounted only on an as-needed basis.
And when it is mounted, swapping is disabled, in which case swap
encryption is moot.

Alternatively, clear swapping may be used while an encrypted partition
is mounted, but then zero-filled afterwards.

These use cases cannot be predicted by the installer.  The installer
should not nanny expert admins.  In expert mode, all mandates should
become /advice/.

Reply to:

Prev by Date: Bug#731806: debian-installer: FTBFS on sparc: genisoimage errors
Next by Date: Bug#731806: debian-installer: FTBFS on sparc: genisoimage errors
Previous by thread: Bug#731806: debian-installer: FTBFS on sparc: genisoimage errors
Next by thread: install debian into hyper-v
Index(es):
- Date
- Thread