[dm-crypt] Re: What to encrypt and why (was: Using dm-crypt: whole disk encryption

From: Maksim Fomin <maxim@fomin.one>
To: "dm-crypt@saout.de" <dm-crypt@saout.de>
Subject: [dm-crypt] Re: What to encrypt and why (was: Using dm-crypt: whole disk encryption
Date: Tue, 23 Mar 2021 04:00:09 +0000	[thread overview]
Message-ID: <MMuMcPKXXL5JDZ2zMLuv3-VYyI8lP6MtM8VaWh7SiCN3mQiDFG7DNuRq4FWwKlqxDBC9e44HXUD-HmS3RaQninP9Bl4oM57J1moUY6IRfSc=@fomin.one> (raw)
In-Reply-To: <CA+3G=9h9HdnimHA5ypKdD-dA-P4enF9+K1=_sjEdZgwv-2Z0Lw@mail.gmail.com>

[-- Attachment #1.1: Type: text/plain, Size: 4304 bytes --]

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, March 22, 2021 9:58 PM, Johnny Dahlberg <svartchimpans@gmail.com> wrote:

> On Mon, 22 Mar 2021 at 22:27, Maksim Fomin <maxim@fomin.one> wrote:
>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Monday, March 22, 2021 8:50 PM, Johnny Dahlberg <svartchimpans@gmail.com> wrote:
>>
>>> As for whether to use UEFI boot or not: Yes. Use it. It's way more robust than MBR boot methods. Don't be afraid to research what systemd-boot is, if you want to know. Or just enable UEFI in your BIOS (it's most likely on by default on your new laptop) and just install the OS and it'll automatically use UEFI.
>>>
>>> As for what to encrypt:
>>>
>>> /boot/efi = No. It must be unencrypted to be able to boot. But it only contains your bootloader, kernel and initramfs which is what sets up the decryption environment.
>>>
>>> / (root) = Yes. All of it will be encrypted with your passphrase.
>>>
>>> As for having a separate /home partition: Don't bother. It makes no sense at all and just creates hassle when you inevitably run out of space in either / or /home. There are no benefits to a separate home directory. None. People think it makes OS reinstalls or distro hopping easier. Nope it doesn't. If you have a unified partition, you simply have to boot any random liveCD and delete everything except the /home folder, and then install your OS on the same partition without formatting it, and voila you've kept /home without tediously separating it.
>>>
>>> If you wanna check out the distro I recommended in the longer answer about full disk encryption, you even have a "Refresh Install" feature in the installer, which deletes everything except /home and reinstalls the OS. That's another fantastically easy option. :-)
>>>
>>> -- Johnny
>>
>> 2. Having separate /home partition has several benefits: if root fs is damaged, the home partition is left intact. Also, depending on fs type, its configuration and partition size io operations can be faster on smaller partitons than on a big one.
>> 3. There are such tools like lvm or fs subvolumes which make the choice between single or separate partition redudant. For example, lvm alows to share single partition space for several virtual partitions (they are fs independent - if one fs is damaged, other are still ok). Some fs allow to have subvolumes which also share space (but they are fs dependent, so if fs is damaged all its subvolumes are also damaged).
>
> Hi Maksim! :-)
>
> "if root fs is damaged, the home partition is left intact."
>
> I disagree. If we're talking general filesystem corruption, that's equally likely to happen to the home partition. And in both cases it's just minor stuff like corruption from a loss of power during write. All of which is fixable with a simple filesystem check/repair command.
>
> The other kind of corruption, which is physical corruption of the storage medium, is also equally likely to happen to *any* partition.
>
> The final kind, which is software induced data loss such as "rm -rf /", will likewise destroy the home partition too.
>
> So corruption isn't a reason to separate partitions.
>
> "depending on fs type, its configuration and partition size io operations can be faster on smaller partitons than on a big one."
>
> What are you referring to here? The speed of formatting a brand new filesystem? That's a do-it-once-and-keep-it-for-years operation and I would think it's silly to worry about that inital formatting. Which usually takes mere seconds in quick format mode. It's not a reason to separate partitions.
>
> Best Regards,
>
> -- Johnny

Nevertheless, when corruption happens (for example, power failure, RAM bit flip), there are higher chances to have only one out of two fs damaged. Regarding faster io operation - I didn't mean formatting, but a general case. In my experience 2 TB partition works in both ext4/btrfs visibly slower than 40 GB root partitions, expecially on mounting, because when partition is 5TB, fs checks more data structures during mount. Anyway, claims like 'There are no benefits to a separate home directory' should be provided with care because the choice depends on many circumstances. In addition, such discussion is not related to dm-crypt.

Best regards,
Maxim Fomin

[-- Attachment #1.2: Type: text/html, Size: 5428 bytes --]

[-- Attachment #2: Type: text/plain, Size: 147 bytes --]

_______________________________________________
dm-crypt mailing list -- dm-crypt@saout.de
To unsubscribe send an email to dm-crypt-leave@saout.de