[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: systemd - suggestions for the next version

On Nov 03, Simon McVittie <smcv@debian.org> wrote:

> On 03/11/14 14:36, Hans wrote:
> > My system has /, /boot, /home, /usr and /var on seperated partitions.
> > The partitions /home, /usr and /var are luks-encrypted.
> Encrypting '/usr' but not '/' doesn't make a great deal of sense; '/'
> contains critical system libraries (in /lib), system account details,
> the ssh host key etc. (in /etc), and so on.
> > I guess, many people after Snowden are using similar profiles than mine and I 
> > think, you do not expect all the computers in the world to be repartitioned.
> I don't think either systemd upstream, or the systemd package in Debian,
> is likely to support your specific setup, because it's complicated and
> specific to you. However, someone (perhaps you) could write code that
> hooks into existing infrastructure to do what you want, and someone
> (perhaps the same person, perhaps you) could maintain that in Debian.
> If you want things to happen before systemd starts, the place to do that
> is in an initramfs hook (/usr/share/initramfs-tools on Debian).
> I know you don't want to repartition, but here is what I'd suggest for
> anyone else in your situation, on any computer that only has one
> physical disk:

> - optionally, a small unencrypted recovery system (like a small
>   Debian installation, or grml) for when things go horribly wrong
I like to keep advertising over and over the awesome grml-rescueboot 
package which automatically provides in GRUB a copy of the awesome GRML 
live CD for rescue purposes.

> Separating /, /home, /usr, /var is of limited use these days. I'd just
> encrypt them all and be done with it (and that's what I use on my own
> laptop).
Agreed, with modern Debian (even without systemd) you can easily keep 
everything but /boot encrypted.


Attachment: signature.asc
Description: Digital signature

Reply to: