On Mon 11 May 2020 at 10:27:48 (-0400), Celejar wrote: > On Mon, 11 May 2020 07:36:27 -0400 Greg Wooledge <wool...@eeg.ccf.org> wrote: > > On Sat, May 09, 2020 at 10:05:40PM -0700, Will Mengarini wrote: > > > * Rick Thomas <rick.tho...@pobox.com> [20-05/09=Sa 20:05 -0700]: > > > > [...] died for lack of space in /boot [...] > > > > > > Long ago I stopped bothering with a separate /boot, and behold, I yet > > > live. ISTR the Debian installer doesn't default to creating one either. > > > > Unless you're doing some kind(s) of disk encryption. Which apparently is > > a thing that some laptop users go for in a major way. > > And some desktop / server users. I'd rather not have to worry about the > sensitive data on my disks when I decommission them / they fail.
I'm surprised that more people aren't concerned about theft, and also their increasing obligations under confidentiality/privacy rules/laws. > > As a non-laptop person, my understanding is that, at least with some > > implementations of disk encryption, you need an UN-encrypted /boot to > > get the whole thing started. After that, the root file system and any > > other local file systems can be encrypted, and the code from /boot will > > be able to prompt you for the passphrase or whatever. > > Yes. FDE including boot is doable, but it takes more work (and isn't > necessarily worth it, depending on the threat model - see above): I don't encrypt root because it's far too useful to be able to remotely boot up. To keep things simple, I set up my laptops similarly, except that unlocking is earlier, in the boot sequence rather than after the system is fully up. > https://cryptsetup-team.pages.debian.net/cryptsetup/encrypted-boot.html I notice that this page (of 09 Jun 2019) mentions a typical /boot partition of 256MB, and laments not being able to reclaim the space if /boot is merged into the root filesystem. Cheers, David.