|
Bugzilla – Full Text Bug Listing |
| Summary: | New installation option: partial disk encryption with Trusted Platform | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Sławomir Lach <slawek> |
| Component: | YaST2 | Assignee: | E-mail List <yast2-maintainers> |
| Status: | RESOLVED FEATURE | QA Contact: | Jiri Srain <jsrain> |
| Severity: | Enhancement | ||
| Priority: | P5 - None | CC: | slawek |
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Sławomir Lach
2023-04-08 09:05:13 UTC
First of all, this is clearly a feature request, not a bug. Why do you think dividing up the root filesystem into an encrypted and an unencrypted part would save any disk space? It only makes things more complicated; a LOT more complicated, actually. Any miniscule performance gain by not needing to decrypt every disk block while reading would immediately be out the window by the need to constantly check everything while reading, as you suggest. You can already verify individual or all software packages with "rpm --verify" (see "man rpm" for more details) if you want to do this every now and then. Doing it all the time would be a huge performance drain. That's basically combining all the disadvantages of an unencrypted filesystem and an encrypted filesystem into one. (In reply to Stefan Hundhammer from comment #1) > First of all, this is clearly a feature request, not a bug. > > Why do you think dividing up the root filesystem into an encrypted and an > unencrypted part would save any disk space? It only makes things more > complicated; a LOT more complicated, actually. > > Any miniscule performance gain by not needing to decrypt every disk block > while reading would immediately be out the window by the need to constantly > check everything while reading, as you suggest. > > You can already verify individual or all software packages with "rpm > --verify" (see "man rpm" for more details) if you want to do this every now > and then. Doing it all the time would be a huge performance drain. That's > basically combining all the disadvantages of an unencrypted filesystem and > an encrypted filesystem into one. I do not perform calculation of cpu power needed to check checksum. And I though encrypting disk force bigger memory usage. If it is not the case (space usage for encrypted partition), I do bad decision (my disk is unencrypted). If encryption on OpenSUSE enforces bigger space usage, maybe allow to use algorithm without bigger space usage than unencrypted data? There is no need to encrypt some programs, such likes games from Steam. And assets could take a lot of space (games weight hundreds of GiB sometimes). So encrypting whole disk did not make sense for some kind of data. Please file this as a feature if you believe this is something that the distribution really needs https://code.opensuse.org/leap/features/issues Encryption is one more layer between the disk's hardware and the filesystem. It needs some constant amount of disk space for its metadata, but that doesn't change if it's a smaller or a larger encrypted partition. If it needs, say, 1 MiB (I didn't check exactly how much, but it's an insignificant amount of disk space), it needs the same 1 MiB for a 5 GiB partition as for a 500 GiB partition or for a 4 TiB partition. The basic premise behind your idea is wrong. It doesn't need more disk space for a larger partition. There are no savings for using a smaller encrypted partition. As for large software like games, you can simply create a separate partition for them and just mount that partition. But that's your choice, and there is no generic way to do that. You could for example create a separate unencrypted partition /games or /work/games and install your games to that location. This has the added benefit that you keep the system and your user applications separate, and when you install a newer distribution, you don't need to reinstall your games, too. But it does not make any sense to separate parts of the system and make everything more complicated. There is no benefit from that. (In reply to Stefan Hundhammer from comment #5) > Encryption is one more layer between the disk's hardware and the filesystem. > It needs some constant amount of disk space for its metadata, but that > doesn't change if it's a smaller or a larger encrypted partition. If it > needs, say, 1 MiB (I didn't check exactly how much, but it's an > insignificant amount of disk space), it needs the same 1 MiB for a 5 GiB > partition as for a 500 GiB partition or for a 4 TiB partition. I do not suggest that result of encryption was larger when disk have larger capacity. I only suppose that currently used encryption algorithm increase disk usage (compared to unencrypted data). > > The basic premise behind your idea is wrong. It doesn't need more disk space > for a larger partition. There are no savings for using a smaller encrypted > partition. > > As for large software like games, you can simply create a separate partition > for them and just mount that partition. But that's your choice, and there is > no generic way to do that. You could for example create a separate > unencrypted partition /games or /work/games and install your games to that > location. This has the added benefit that you keep the system and your user > applications separate, and when you install a newer distribution, you don't > need to reinstall your games, too. > > But it does not make any sense to separate parts of the system and make > everything more complicated. There is no benefit from that. Thanks. |