Bug#652011: general: Repeated pattern of FHS violation: Dependencies of /sbin and /bin, belong in /lib
On Wed, 14 Dec 2011, Roger Leigh wrote:
The same argument applies to encryption. / and /usr both contain a
selection of programs, libraries etc. If you're encrypting one, why
would you not encrypt all of it?
On one of my relatively low-power portable systems, I have everything
encrypted except /boot and /usr. /boot for obvious reasons; /usr because
decryption is heavily CPU-bound, making encrypted /usr unworkably slow.
Since encryption is for privacy reasons, I need encrypted / because of
/etc. (And encrypted /home and /var of course.)
Indeed, this means that programs in /bin and libs in /lib are also
encrypted. But this actually does _not_ slow things down: the Linux disk
cache is sensibly caching the decrypted data, so often-used stuff from
/bin and /lib happily remains in already-decrypted cache. The interesting
stuff from /usr is generally too large and too seldomly used to remain
So I'd say "preferably not" move /bin and /lib to /usr; but I'd say
"absolutely definitely not" move /usr/bin and /usr/lib to /.
(Well, in the latter case: unless you make sure that /bin and /lib are
actually mountable separately. But that would really defeat the purpose.)