encrypted rootfs vs suspend/resume
So one of the things people have been wanting for a while is an encryted root filesystem.
Now this isn't some sort of security saviour and I was just chatting to a few people on irc and realised the pain we need to go through to actually make it secure and useable in the face of other things.
Scenario: You have a laptop, you want to "secure", you use an encrypted rootfs because the forums told you to. Now Linux suspend/resume support gets good enough that you don't ever reboot. So when the laptop is suspended where are they encryption keys?
oh they are in the RAM? oh thats nice. Even when the laptop is resumed, where are they? oh look a screensaver is stopping me from logging in.
Solution: remove enc keys on suspend - ask the user for them again on resume. - sounds easy.
How do we ask for the keys then?
Currently in Fedora we plan to ask for the keys in the initrd. This works fine if you are using an English based language and keyboard. What happens if you want to use some of your own language like Chinese. Oh you want input methods so you can type that in do you? Oh we need X. Oh lets put X in the initrd. Oh lets migrate lots of the supporting bits into the initrd. Hey wait a minute half my encrypted root is now in an unencrypted initrd. WELCOME TO DRINKIN' ISLAND!.
So maybe some sort of encrypted overlay on top of an unencrypted rootfs that can bring up enough X to type the password in might be a better plan in sane universe where different parts of the OS talk to each other.