On Fri, Dec 06, 2019 at 07:58:07PM -0700, John M. Harris Jr wrote: > Encrypting $HOME would certainly be "an incremental improvement", but it > shouldn't be done unless the user chooses to do it, and it probably shouldn't > be done using the same passphrase they use for their user account. That > should > be up to the user to decide, of course. If they want to use the same > passphrase, far be it from me to attempt to stop them.
This could be quite dangerous - encrypting $HOME without encrypting the whole system could lead to a false sense of security - if this is to be enabled the user should be explicitely warned, that the system will be unencrypted, if os encryption is not enabled too. When encrypting both the os and $HOME this could be an improvement, as this would disallow forcing access to userdata on request (e.g. access by system administrator without informing users). Access without user consent would require preparation and system modification, which is a higher barrier. Encrypting $HOME only should as far as I can see be enough to comply with GDPR regulations, but this does only covers device loss, not more advanced attacks. All the best, David
signature.asc
Description: PGP signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
