Announcement

Collapse
No announcement yet.

OpenSUSE Expanding Encryption Options For Its Installer

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSUSE Expanding Encryption Options For Its Installer

    Phoronix: OpenSUSE Expanding Encryption Options For Its Installer

    While Ubuntu developers are busy adding experimental ZFS support to their installer, the SUSE developers working on their YaST installer are working on offering better security options for their platform by beefing up the encryption capabilities at install-time...

    http://www.phoronix.com/scan.php?pag...nstall-Encrypt

  • #2
    Michael
    SUSE is also exploring adding other encryption options -- including general support for LUKS2 over LUKS1
    Can you change the word "over" to "instead of"? "LUKS2 over LUKS1" made me think they were working on some sort of compat layer to get around the GRUB2/LUKS2 limitations.

    Anyhoo, I wonder if that encrypted swap stuff applies to zram/zswap. A quick crtl+f didn't find any mention of those.

    Comment


    • #3
      I've actually encrypted swap with that "random keys on every boot" option. It wasn't working properly though, because systemd was doing this silly auto-detect thing and trying to mount it as a normal swap partition. I got it working now after disabling that systemd feature for that partition.

      I don't remember if I enabled zram and zswap, got to check. I don't think there will be any problems though.

      Comment


      • #4
        More stuff only nerds care about. How about make encryption usable. Use TPM unlock without messing around in dracut and shit, and the user literally won't even notice encryption's present. As it should be.

        Comment


        • #5
          Originally posted by anarki2 View Post
          More stuff only nerds care about. How about make encryption usable. Use TPM unlock without messing around in dracut and shit, and the user literally won't even notice encryption's present. As it should be.

          Comment


          • #6
            In a parallel topic, What about zypper downloads. I presume that each downloaded item is signed but if not already, should that download be done using SSH? (Avoids man in the middle attack where, in a download session, a signed module could be substituted

            Comment


            • #7
              Originally posted by lsatenstein View Post
              In a parallel topic, What about zypper downloads. I presume that each downloaded item is signed
              Yes it is.

              should that download be done using SSH? (Avoids man in the middle attack where, in a download session, a signed module could be substituted
              If someone can sign packages with the maintainer key, they have stolen that key or taken control of the build infrastructure.

              If that happened, SSH won't help you much.

              Comment


              • #8
                I hope they make encryption setups faster at decrypting during boot... it takes a long time after I give password and hit enter...

                Comment

                Working...
                X