From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=umO1=IU=saout.de=dm-crypt-bounces@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.8 required=3.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,
	URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 82D27C433DB
	for <dm-crypt@archiver.kernel.org>; Mon, 22 Mar 2021 20:38:40 +0000 (UTC)
Received: from mail.server123.net (mail.server123.net [78.46.64.186])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mail.kernel.org (Postfix) with ESMTPS id E548161992
	for <dm-crypt@archiver.kernel.org>; Mon, 22 Mar 2021 20:38:39 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org E548161992
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=mousecar.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dm-crypt-bounces@saout.de
X-Virus-Scanned: amavisd-new at saout.de
Received-SPF: None (mailfrom) identity=mailfrom; client-ip=74.208.4.197; helo=mout.perfora.net; envelope-from=gebser@mousecar.com; receiver=<UNKNOWN> 
Received: from mout.perfora.net (mout.perfora.net [74.208.4.197])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256)
	(No client certificate requested)
	by mail.server123.net (Postfix) with ESMTPS
	for <dm-crypt@saout.de>; Mon, 22 Mar 2021 21:35:35 +0100 (CET)
Received: from [192.168.0.8] ([96.27.75.237]) by mrelay.perfora.net
 (mreueus004 [74.208.5.2]) with ESMTPSA (Nemesis) id 1MF3cC-1lQZwI1EfQ-00FRxf;
 Mon, 22 Mar 2021 21:35:30 +0100
Date: Mon, 22 Mar 2021 20:35:26 +0000
In-Reply-To: <20210322035713.GA13798@tansi.org>
References: <643D0D27-E48A-4684-88B8-C0EE72B0DE7D@mousecar.com> <20210322035713.GA13798@tansi.org>
MIME-Version: 1.0
To: dm-crypt@saout.de,Arno Wagner <arno@wagner.name>
From: ken <gebser@mousecar.com>
Message-ID: <9ED15806-6FD3-4BE9-9B33-4C4BF67FB2D1@mousecar.com>
X-Provags-ID: V03:K1:4KbaFw6lv2mGFKpH+T8pWo7OrhuPotsUcZLq9VIatac+AiMMRyx
 mHvCxHbin562vd0zQ2scKVUxneB9TI+7ayyr6SLzH2ogOHTfLw+Ag+98Nn7cSAujoigrVRj
 26Y8RJjeJrwSWhkViUikfy2ZItXHiAa3w01j7uX33tU0eWaUrMqLTNLtaHWlGZm8h4Z1MNQ
 xHkm1SBKgyM8DR4A3PA5g==
X-UI-Out-Filterresults: notjunk:1;V03:K0:MdiMrumQPbg=:pChKj0scPlvBAxzdvkxEZ7
 8vJXqxL09Vl0P/TvwHxMBjRL71AOMHchBNw+HsDEylVHibxT3iVJUjxn2KvfuBcIfno65fUs7
 OXtZdo2xeA8kxbexUdut52NegiooX8crBjUHB5dP8J64U9c2qbW+OWtn7yd7ZgYO3vutcMaqZ
 VB3UJjreW5DcOEh+c3Dl575Gt/IWKhilUOo9QBP6kgFtmdnykChmi1zbGmzojvClaheUBAqkQ
 qovISXfGI2Fmpt+c9UfTQKgpgQAMUDVftO478J43lZ8roRbjQ8Xm0VEBRsHlxBpznGAw4UiSi
 4VSIo0bU/we4lDP+9Ee8kNvLcaHqdE69oPdURZ0MFwevEGJeBcARx9SR6Ad1LLH45sA/gNoUL
 29eWH3VwuA5dkpftRTBlRVLaw/0HL7C0DgasmS0uOoJQ+SU62qmgMcz2HG4C9tTHCghY1l0rN
 E/JSG9u4zA==
Message-ID-Hash: 7EGRNLIWMELYVFBYDHU7OI27ABM6ZIWQ
X-Message-ID-Hash: 7EGRNLIWMELYVFBYDHU7OI27ABM6ZIWQ
X-MailFrom: gebser@mousecar.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dm-crypt.saout.de-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header
X-Mailman-Version: 3.3.2
Precedence: list
Subject: [dm-crypt] What to encrypt and why (was: Using dm-crypt: whole disk encryption
List-Id: <dm-crypt.saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Post: <mailto:dm-crypt@saout.de>
List-Subscribe: <mailto:dm-crypt-join@saout.de>
List-Unsubscribe: <mailto:dm-crypt-leave@saout.de>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

On March 22, 2021 3:57:13 AM UTC, Arno Wagner <arno@wagner.name> wrote:
>To do that you need to boot from an external medium.
>FAQ Section 9 has some informatiopn on how to create an 
>initrd for an external boot medium.
>
>Regards,
>Arno
>
>
>On Sun, Mar 21, 2021 at 17:13:16 CET, ken wrote:
>> A new laptop is on the way and I'm considering using dm-crypt 2
>secure the whole SSD. I have some basic questions though.
>> 
>> Is it possible to encrypt the entire Drive, including all the system
>files?
>> _______________________________________________
>> dm-crypt mailing list -- dm-crypt@saout.de
>> To unsubscribe send an email to dm-crypt-leave@saout.de

Thanks for your reply and or the reference to the FAQ. I should have known that the latter probably existed.

While it probably is a very useful kind of configuration for some for a system to have to boot from an external medium, it doesn't sound like something that I want to do. I guess I've been misled by my previous experience with dm-crypt.

It must have been about 20 years ago that I set up and for a couple years used an encrypted system. That system would boot as systems normally do, and I was prompted for a password somewhere along the boot process prior to having to enter my user password. I didn't need an external medium at all. And very recently I very briefly tried out Fedora 33 and clicked a checkbox for disk encryption during the install process, and the boot process was essentially the same, that is, the system would boot, then it would require password for disk decryption before I could log in. Again, no external medium was required. Your answer, though, was the right one, given my imprecise question.

This brings up larger, but pre-technical questions: what is appropriate to encrypt and why? Given your reply, it seems safe to assume that it's possible to encrypt the boot partition of a system. It's quite possible that I'm missing some reason to do this, but I can't see it. However, I'm not at all conversant with the newer UEFI boot processes, so perhaps there's something to learn there.

Reasons for encrypting the OS are more apparent, so I'm fairly certain that would be advisable. I can imagine a sound rationale for encrypting just one part a person's home directory, but for me the entire /home partition is the absolute minimum.

KVM throws another layer of possible confusion into the mix. At the moment I'm considering encrypting the entire (host) OS and /home partition, and with those all the guest systems, because this seems like the simplest way to go. However, I could be convinced against that plan if I find that performance would be too adversely affected, or for some other possible issues I'm not even aware of. Or maybe it wouldn't be simple at all to do what I'm planning. I don't know at this point.

One specific question I have comes out of the FAQ: What is meant by a container? I'm fairly certain that it could be an entire partition. Anything else? Could one container be comprised of two or more partitions? Can two or more virtual machines constitute one container if they are all on the same partition or within the same logical volume?

Sorry for the long post. If you're looking for more fodder for the FAQ, I obviously have plenty of that.  :)






_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de