Re: Unlock LUKS with login/password

To: debian-devel@lists.debian.org
Subject: Re: Unlock LUKS with login/password
From: Russ Allbery <rra@debian.org>
Date: Thu, 09 Mar 2023 10:49:03 -0800
Message-id: <[🔎] 87bkl1g3q8.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20230309131957.fiyvfvkah2atpifc@yuggoth.org> (Jeremy Stanley's message of "Thu, 9 Mar 2023 13:19:58 +0000")
References: <[🔎] CAO1Zr+rqjpp75qm5U2JYM9uqffa6LHzqZWGrNMpbpAgrFWx1xw@mail.gmail.com> <[🔎] ZAjYalKAs1Iuilp+@bongo.bofh.it> <[🔎] f6ee39ad858a6b450ca8400437a16239c0b88292.camel@posteo.de> <[🔎] 20230309131957.fiyvfvkah2atpifc@yuggoth.org>

Jeremy Stanley <fungi@yuggoth.org> writes:

> Disk encryption is great (when properly implemented) to protect
> sensitive information on your machine from prying eyes if it gets
> stolen, but unless you're putting sensitive data in /boot why go to the
> added trouble of encrypting it?

I think this is the key point: you should not be putting sensitive data in
/boot, and this is generally always avoidable (and architecturally better
to put it elsewhere).

I have put sensitive data in /boot in the past because reasons, so it's
not strictly true there is *never* a benefit, but I agree that this wasn't
a great architecture and there were better ways to do it.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Unlock LUKS with login/password
  - From: Alexey Kuznetsov <kuznetsov.alexey@gmail.com>
- Re: Unlock LUKS with login/password
  - From: Marco d'Itri <md@Linux.IT>
- Re: Unlock LUKS with login/password
  - From: Stephan Verbücheln <verbuecheln@posteo.de>
- Re: Unlock LUKS with login/password
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: Bug#995189: RFH: isc-dhcp
Next by Date: Bug#1032606: ITP: etlcpp -- Embedded template library: a C++ template library for embedded applications
Previous by thread: Re: Unlock LUKS with login/password
Next by thread: Re: Unlock LUKS with login/password
Index(es):
- Date
- Thread