Re: systemd - suggestions for the next version
On 03/11/14 14:36, Hans wrote:
> My system has /, /boot, /home, /usr and /var on seperated partitions.
> The partitions /home, /usr and /var are luks-encrypted.
Encrypting '/usr' but not '/' doesn't make a great deal of sense; '/'
contains critical system libraries (in /lib), system account details,
the ssh host key etc. (in /etc), and so on.
> I guess, many people after Snowden are using similar profiles than mine and I
> think, you do not expect all the computers in the world to be repartitioned.
I don't think either systemd upstream, or the systemd package in Debian,
is likely to support your specific setup, because it's complicated and
specific to you. However, someone (perhaps you) could write code that
hooks into existing infrastructure to do what you want, and someone
(perhaps the same person, perhaps you) could maintain that in Debian.
If you want things to happen before systemd starts, the place to do that
is in an initramfs hook (/usr/share/initramfs-tools on Debian).
I know you don't want to repartition, but here is what I'd suggest for
anyone else in your situation, on any computer that only has one
physical disk:
- small unencrypted /boot
- optionally, a small unencrypted recovery system (like a small
Debian installation, or grml) for when things go horribly wrong
- large encrypted volume filling the rest of the disk, containing...
- an LVM physical volume, containing...
- swap
- root filesystem (including /home /usr /var /srv etc.)
If there are multiple disks, the second and subsequent disks could
either be a RAID array, or contain additional encrypted LVM PVs.
Separating /, /home, /usr, /var is of limited use these days. I'd just
encrypt them all and be done with it (and that's what I use on my own
laptop).
S
Reply to: