cross-posted from: https://programming.dev/post/9319044

Hey,

I am planning to implement authenticated boot inspired from Pid Eins’ blog. I’ll be using pam mount for /home/user. I need to check integrity of all partitions.

I have been using luks+ext4 till now. I am hesistant hesitant to switch to zfs/btrfs, afraid I might fuck up. A while back I accidently purged ‘/’ trying out timeshift which was my fault.

Should I use zfs/btrfs for /home/user? As for root, I’m considering luks+(zfs/btrfs) to be restorable to blank state.

  • Skull giver@popplesburger.hilciferous.nl
    6·
    6 months ago

    I use ZFS to do RAID on a NAS because I was too lazy to look up how to do a proper RAID setup. Works pretty well. Have had to replace two hard drives, and rebuilding seems to work just fine.

    I use BTRFS on my desktop (programming stuff mostly, but also gaming) and on the SD cards of my Steam Deck for the compression. I think ZFS would’ve suited me as well, but I didn’t want to deal with out of tree kernel modules so BTRFS made more sense.

    Timeshift works pretty well in my experience, especially when integrated with the distro package manager to automatically make snapshots before installing/upgrading packages.

    LUKS is my go-to solution, but I still need to figure out how to upgrade the LUKS PKDF without breaking anything. I use Grub with full disk encryption (and intend to keep using it) but Grub lacks several modern key derivation functions. If you’re planning on using an alternative (i.e. unencrypted /boot, or systemd-boot) you’ll probably be better off making sure you use modern crypto. I don’t think there’s any real proof that LUKS can be broken in its normal setup, but there were rumours some French guy got arrested and had his LUKS encryption fail on him, so you never know.

      • Skull giver@popplesburger.hilciferous.nl
        4·
        6 months ago

        The French justice system isn’t like that, though. The guy assured everyone he did not give his password away, which would’ve been obvious with rubber hose cryptography.

        My guess is that he reused the password elsewhere or they were able to find a copy of the key in RAM, but it’s certainly possible that law enforcement knows something about LUKS we don’t.

          • Skull giver@popplesburger.hilciferous.nl
            1·
            6 months ago

            That’s what I said, lol. But he did claim he didn’t reuse the password, so who knows? He also could’ve used a very low number of iterations, making cracking the LUKS header feasible; the default is based on how many iterations your CPU can do in a certain amount of time, so a not-so-powerful laptop could be nerfing its own security.

            Regardless, it can’t hurt to pick a more modern PKDF algorithm.