In PC-BSD, for example, the default partitioning scheme has /home in a jail under /usr, with /usr on a separate partition. Ubuntu and the bevy of distributions based or derived from it place /home under the same partition as /, with the option to encrypt a user’s home directory. And depending on the size of a hard disk, Fedora and other distributions that use Anaconda follow the same script. So you can imagine what not encrypting root in these situations amount to.

Your second point leads me to believe that you have not used Fedora since Fedora 8. If you did, you’d know that all it takes to configure encrypted LVM on Fedora is one mouse click. Nothing more. Beats manually creating LUKS+LVM, initrd, and other “extremely easy” stuff. There is a short tutorial about it here.

On point 3, I am not in a position to reveal to you “what information someone can obtain from an unencrypted root partition,” but that does not been they can not. Your point here implies that encrypting root is not necessary, that encrypting Swap and /home is all that is needed. I find that hard to believe. If that had ended with the implied statement, I’d have cut you some slack, but to explicitly state that “encrypting the root partition is 99% irrelevant to security” makes my head spin. It’s still spinning. In a very bad way, that statement is funny.

Before you start defending this statement, consider this opening paragraph from the disk encryption chapter of the FreeBSD Handbook:

File permissions and Mandatory Access Control (MAC) … help prevent unauthorized third-parties from accessing data while the operating system is active and the computer is powered up. However, the permissions enforced by the operating system are irrelevant if an attacker has physical access to a computer and can simply move the computer’s hard drive to another system to copy and analyze the sensitive data.

Disk encryption is ineffective if an unauthorized party with physical access to your computer can boot it. The point of disk encryption is to deny access to data stored on your computer to people who do not have a right to read it. And there is no better way to enforce that than to make it impossible for them to boot the computer completely. Most distributions do not put /home on a separate partition, so encrypting your home directory wont do you much good.

Who had it first is not as important as who is doing it right. Btw, my suggestion to the PC-BSD development team (I’m subscribed to their testing mailing list) led to a change in the manner that disk encryption is configured. Grab a snapshot ISO image here and see for yourself.

This is a very dumb thing to say for the following reasons:

1) Slackware was the first real distribution to be able to encrypt its root partition (starting with 12.0 released June 2007) and this was documented BY Slackware and released as a README_CRYPT.TXT on the official install media. The first time Fedora was able to be installed this way that I see on Google is Fedora 8, November 2007.

2) Such a setup on Slackware Linux is extremely easy (just manually create LUKS+LVM, tell setup to install to it, make an initrd, and reboot) and much less risky (seriously, on Fedora 8 you install somewhere else and then forcefully raw-copy the data into the container setup? Data integrity alarm bells should be making you deaf by now). LUKS+LVM is officially supported by Slackware Linux since this time, and by the installer basically. To my knowledge I have yet to see any other Linux distribution that understands and can install to a fully encrypted setup like this (much less, my next point is….)

3) When you can reveal to me what information someone can obtain from an unencrypted root partition (assuming swap and /home are encrypted), let me know. Unless they can get access to the unfiltered memory on the machine (and/or cold-boot the memory but I highly doubt you’re ever going to have anyone that good pursuing your information) there is no other place to get the encryption key you supply with LUKS. The only other way to get at the data is the “angry maid” attack (which applies to both luks+lvm and any simpler setup with an initrd). At most you’re only making life a minute harder for a would-be attacker (because copies of Live Linux CDs are freely downloaded).

4) The L in LUKS stands for LINUX. They may have the necessary software by now, but they’re not Linux so why are you pestering them? I don’t see Mac or Windows being able to do this in the software level (i.e. encrypted root) so your argument is empty.

So to summarize, Slackware had it first, Slackware officially supported it first, encrypting the root partition is 99% irrelevant to security assuming you take other smart steps, and you’re unwise to rip on BSD about something that was created for Linux (LUKS and LVM).

Thanks

Simon

Setup is clean, easy to configure, nothing was too hard even for a beginner like myself. I was up and running the internet with firefox skyping with friends in 30 or 40 minutes after I stuck the CD in and booted.

I look forward to updates. Note it had trouble with my atheros wireless card and nvidia 330m.

DesktopBSD may not be completely dead. I still run it upgraded to 7.3 which is supported for a couple of years. There are people on the forums who want to resurect/fork it. It was and still is far superior to PC-BSD and you can just keep it updated by the traditional FreeBSD methods. keep an eye out for http://www.smartbsd.org