previously on this list Giancarlo Razzolini contributed: > I prefer to have /etc and everything else > encrypted. If not, I would have to move lots of configuration files to > the encrypted partition, not to mention that it would very error prone.
You can always use symlinks or mount encrypted partitions into say /etc/ssl. I believe the absolute OpenBSD original book mentioned you couldn't have /etc on it's own partition and I guess it must be on root for boot of /etc/rc but I would also guess you could mount over the top before starting sensitive data handling services. You would just need to keep them in sync when upgrading the system and thankfully OpenBSD's startup is rather neat and can be handled with comparatively little trouble Though I can understand the FDE approach for Linux due to it's rather and pointlessly (IMO) complex boot. It seems to me you are going to a lot of effort to achieve little but a slower system with less entropy and aiding crypt-analysis a little due to predictable data when all you really need is a bit of scripting or consideration of how you can most conveniently and best protect what you need to. Encrypting logs is no chicken and egg problem and very straight forward. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) In Other Words - Don't design like polkit or systemd _______________________________________________________________________