On Mon, Dec 04, 2017 at 12:19:07PM -0500, rhkramer@gmail.com wrote:
This is somewhat OT, but I just thought I'd mention: I keep my computer up (almost) all the time, but, for security, I mount (and then umount) my encrypted disk partitions only when needed. (To make it easier for myself, I wrote a few (primitive) (bash) scripts to help. Of course, the passwords are not in the scripts, but the script / LUKs prompts me for the passwords when required.)
If you do not encrypt everything, you must be prepared to carefully partition what data goes where and hope that neither you nor the software you run make a mistake. For most people, it's safer to just encrypt everything. There is some good support for remote unlocking in the initramfs stage now which makes this a little easier: install dropbear and configure authorized_keys etc. in /etc/initramfs-tools, then rebuild the initramfs. There are still some improvements that could be made here. (I have to check my own page describing my NAS setup whenever I reboot to remember which fifo to write the passphrase to: https://jmtd.net/hardware/phobos/#index6h3) -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.