> As a cherry on top of this cake, we would also be very happy to > understand why a non crypted swap device on an hardware-encrypted > disk is good enough while it is not for other partitions.
Every partition can potentially have different security requirements. Software encryption is useful for compartmentalization. Hardware FDE may alone be suitable for some partitions, which may have no additional software encryption. While other partitions have varying degrees of sensitivity. A very sensitive partition is unmounted most of the time, and mounted only on an as-needed basis. And when it is mounted, swapping is disabled, in which case swap encryption is moot. Alternatively, clear swapping may be used while an encrypted partition is mounted, but then zero-filled afterwards. These use cases cannot be predicted by the installer. The installer should not nanny expert admins. In expert mode, all mandates should become /advice/. -- To UNSUBSCRIBE, email to debian-boot-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/d31e92dc8cd21c0d2ad1cb8a1a42b...@ringo.jpunix.net
