Re: [bitfolk] Notes on full disk encryption

Top Page
Author: Andy Smith
Date:  
To: users
Subject: Re: [bitfolk] Notes on full disk encryption

Reply to this message
gpg: Signature made Tue Nov 15 16:39:28 2016 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Gerald,

On Mon, Nov 14, 2016 at 10:21:10AM +0000, Gerald Davies wrote:
> Have you included encryption of /boot ?


Unfortunately BitFolk does need to extract your kernel and initramfs
from your /boot so we need to read that. Therefore that must remain
separate as xvda1, unencrypted and with no sensitive information on
it.

It might be possible to avoid this if your kernel and initramfs were
stored outside of your VPS, but the idea of keeping it inside the
VPS has a number of advantages around the package upgrade scripts
not being surprised about what they should do when a new kernel is
installed.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting