On Thu, May 25, 2017 at 7:04 AM, Kai Krakow <hurikha...@gmail.com> wrote: > Am Thu, 25 May 2017 08:34:10 +0200 > schrieb "J. Roeleveld" <jo...@antarean.org>: > >> It is possible. I have it set up like that on my laptop. >> Apart from a small /boot partition. The whole drive is encrypted. >> Decryption keys are stored encrypted in the initramfs, which is >> embedded in the kernel. > > And the kernel is on /boot which is unencrypted, so are your encryption > keys. This is not much better, I guess... >
Agree. There are only a few ways to do persistent encryption in a secure way: 1. Require entry of a key during boot, protected by lots of rounds to deter brute force. 2. Store the key on some kind of hardware token that the user keeps on their person. 3. Store the key in a TPM, protected either by: a. entry of a PIN/password of some sort with protections on attempt frequency/total b. verification of the boot path (which should be possible with existing software on linux, but I'm not aware of any distro that actually implements this) If you don't have hibernation then you can just generate a random key on boot, and that is very secure, but your swap is unrecoverable after power-off. Of the options above 3b is the only one that really lets you do this with the same level of convenience. This is how most full-drive encryption solutions work in the Windows world. Chromebooks use a variation on 3a I believe using your google account password as one component of the key and putting it through the TPM to have a hardware component and to throttle attempts. -- Rich
