On Nov 03, Simon McVittie <smcv@debian.org> wrote: > On 03/11/14 14:36, Hans wrote: > > My system has /, /boot, /home, /usr and /var on seperated partitions. > > The partitions /home, /usr and /var are luks-encrypted. > > Encrypting '/usr' but not '/' doesn't make a great deal of sense; '/' > contains critical system libraries (in /lib), system account details, > the ssh host key etc. (in /etc), and so on. > > > I guess, many people after Snowden are using similar profiles than mine and I > > think, you do not expect all the computers in the world to be repartitioned. > > I don't think either systemd upstream, or the systemd package in Debian, > is likely to support your specific setup, because it's complicated and > specific to you. However, someone (perhaps you) could write code that > hooks into existing infrastructure to do what you want, and someone > (perhaps the same person, perhaps you) could maintain that in Debian. > > If you want things to happen before systemd starts, the place to do that > is in an initramfs hook (/usr/share/initramfs-tools on Debian). > > I know you don't want to repartition, but here is what I'd suggest for > anyone else in your situation, on any computer that only has one > physical disk: > > - optionally, a small unencrypted recovery system (like a small > Debian installation, or grml) for when things go horribly wrong I like to keep advertising over and over the awesome grml-rescueboot package which automatically provides in GRUB a copy of the awesome GRML live CD for rescue purposes. > Separating /, /home, /usr, /var is of limited use these days. I'd just > encrypt them all and be done with it (and that's what I use on my own > laptop). Agreed, with modern Debian (even without systemd) you can easily keep everything but /boot encrypted. -- ciao, Marco
Attachment:
signature.asc
Description: Digital signature