Similar disadvantages as #Encrypted boot partition (GRUB). Similar advantages as #Encrypted boot partition (GRUB). Shows how to encrypt a Btrfs system, including the /boot directory, also adding a partition for swap, on UEFI hardware. Same disadvantages as the scenario the installation is based on (LVM on LUKS for this particular example). the boot loader and the EFI system partition, if present Same advantages as the scenario the installation is based on (LVM on LUKS for this particular example). 
This scenario also employs an EFI system partition, which may be applied to the other scenarios. Shows how to encrypt the boot partition using the GRUB bootloader.
Single encryption key and no option to change it. High care to all encryption parameters is required. Data resilience for cases where a LUKS header may be damaged. This scenario also employs USB devices for /boot and key storage, which may be applied to the other scenarios. without a LUKS header and its options for multiple keys. Slower boot time each encrypted LV must be unlocked seperately. Complex changing volumes requires changing encryption mappers too. Easy mix of un-/encrypted volume groups. 
LVM can be used to have encrypted volumes span multiple disks. Uses dm-crypt only after the LVM is setup. Less useful, if a singular volume should receive a separate key. LVM adds an additional mapping layer and hook. Easiest method to allow suspension to disk. Volume layout not transparent when locked. Only one key required to unlock all volumes (e.g. Simple partitioning with knowledge of LVM. Inflexible disk-space to be encrypted has to be pre-allocatedĪchieves partitioning flexibility by using LVM inside a single LUKS encrypted partition. On a GPT partitioned disk, systemd can auto-mount the root partition. Shows a basic and straightforward set-up for a fully LUKS encrypted root. Furthermore, an encrypted root filesystem makes tampering with the system far more difficult, as everything except the boot loader and (usually) the kernel is encrypted.Īll scenarios illustrated in the following share these advantages, other pros and cons differentiating them are summarized below: Unlike selectively encrypting non-root filesystems, an encrypted root filesystem can conceal information such as which programs are installed, the usernames of all user accounts, and common data-leakage vectors such as mlocate and /var/log/. Securing a root filesystem is where dm-crypt excels, feature and performance-wise. 7.5 Avoiding having to enter the passphrase twice.
0 kommentar(er)
