On 03/11/14 14:36, Hans wrote: > My system has /, /boot, /home, /usr and /var on seperated partitions. > The partitions /home, /usr and /var are luks-encrypted.
Encrypting '/usr' but not '/' doesn't make a great deal of sense; '/' contains critical system libraries (in /lib), system account details, the ssh host key etc. (in /etc), and so on. > I guess, many people after Snowden are using similar profiles than mine and I > think, you do not expect all the computers in the world to be repartitioned. I don't think either systemd upstream, or the systemd package in Debian, is likely to support your specific setup, because it's complicated and specific to you. However, someone (perhaps you) could write code that hooks into existing infrastructure to do what you want, and someone (perhaps the same person, perhaps you) could maintain that in Debian. If you want things to happen before systemd starts, the place to do that is in an initramfs hook (/usr/share/initramfs-tools on Debian). I know you don't want to repartition, but here is what I'd suggest for anyone else in your situation, on any computer that only has one physical disk: - small unencrypted /boot - optionally, a small unencrypted recovery system (like a small Debian installation, or grml) for when things go horribly wrong - large encrypted volume filling the rest of the disk, containing... - an LVM physical volume, containing... - swap - root filesystem (including /home /usr /var /srv etc.) If there are multiple disks, the second and subsequent disks could either be a RAID array, or contain additional encrypted LVM PVs. Separating /, /home, /usr, /var is of limited use these days. I'd just encrypt them all and be done with it (and that's what I use on my own laptop). S -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/5457b8e1.6090...@debian.org