| 1 |
Richard Fish schrieb: |
| 2 |
> Alexander Skwar wrote: |
| 3 |
> |
| 4 |
>>Richard Fish schrieb: |
| 5 |
>> |
| 6 |
>> |
| 7 |
>>>Pupeno wrote: |
| 8 |
>>> |
| 9 |
>>> |
| 10 |
>>> |
| 11 |
>>>>>I use the dm-crypt from the kernel.... |
| 12 |
>>>>> |
| 13 |
>>>>> |
| 14 |
>>>>> |
| 15 |
>>>>> |
| 16 |
>>>>I've read that it is unsecure and I also read that it is not yet vory well |
| 17 |
>>>>suported. |
| 18 |
>>>> |
| 19 |
>>>> |
| 20 |
>>>> |
| 21 |
>>>> |
| 22 |
>>>Dm-crypt is fairly well supported, since it is in the kernel, but I find |
| 23 |
>>>it to be harder to setup |
| 24 |
>>> |
| 25 |
>>> |
| 26 |
>> |
| 27 |
>>hard to setup? How? What's hard about it? |
| 28 |
>> |
| 29 |
>>You just encrypt the block device and create an fs on it. |
| 30 |
>> |
| 31 |
>>/sbin/lvcreate -nToBeEnc -L5g sys \ |
| 32 |
>> && echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ |
| 33 |
>> && mkfs -t reiser4 /dev/mapper/Crypted \ |
| 34 |
>> && mount /dev/mapper/Crypted /some/where |
| 35 |
>> |
| 36 |
>>Obviously, the lvcreate and mkfs steps are just a one time step :) |
| 37 |
>> |
| 38 |
>> |
| 39 |
>> |
| 40 |
> |
| 41 |
> First, I did not say dm-crypt was "hard to setup". I said I find it |
| 42 |
> harder to be setup than loop-AES. |
| 43 |
|
| 44 |
Yes, you're right. But since dm-crypt is so easy to setup with |
| 45 |
cryptsetup, I can't imagine how much more easy you want to have |
| 46 |
it. |
| 47 |
|
| 48 |
> Have you used both loop-AES and dm-crypt? I have. |
| 49 |
|
| 50 |
No. dm-crypt is good enough for me. No need for something else. |
| 51 |
|
| 52 |
Is it possible to encrypt the complete block device with loop-AES? |
| 53 |
Or does it only encrypt a file that's afterwards loop mounted? |
| 54 |
|
| 55 |
> If you want to know what, specifically, I find more difficult about |
| 56 |
> cryptsetup, it is the documentation. |
| 57 |
|
| 58 |
Well. |
| 59 |
|
| 60 |
> The grand sum of documentation |
| 61 |
> available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is |
| 62 |
> "cryptsetup --help". |
| 63 |
|
| 64 |
Well. I didn't need more. |
| 65 |
|
| 66 |
> And yes, I know there are better guides online, but it is not always |
| 67 |
> possible to go online. |
| 68 |
|
| 69 |
Well. Download the stuff and print it, or something. For me, it's |
| 70 |
always possible to go online. |
| 71 |
|
| 72 |
> Also, I wanted to be able to change my password. With loop-AES, this is |
| 73 |
> a simple matter of re-encrypting my key file with a new password. |
| 74 |
> cryptsetup makes this more difficult. Not impossible, just more difficult. |
| 75 |
|
| 76 |
Well, no. It IS impossible. You need to create a new crypted device. |
| 77 |
|
| 78 |
> <advice> |
| 79 |
> Also, echoing your password on a command line to cryptsetup is an |
| 80 |
> extremely bad idea. If an attacker happens to be on your system at that |
| 81 |
> moment, a simple 'ps' will show them your passphrase. |
| 82 |
|
| 83 |
How? |
| 84 |
|
| 85 |
/bin/crypsetup < file-with-passphrase |
| 86 |
|
| 87 |
Where does the attacker see the passphrase? |
| 88 |
|
| 89 |
Oh. You took my example way too literally. *echo*ing the password |
| 90 |
is an extremely bad idea. You're of course right. But in reality |
| 91 |
I of course don't do that. Further, I said, that the password can |
| 92 |
be piped to cryptsetup. |
| 93 |
|
| 94 |
Alexander Skwar |
| 95 |
-- |
| 96 |
Paul: Good way to avoid frostbite, folks, put your hands between |
| 97 |
your buttocks. That's nature's pocket. |
| 98 |
-- |
| 99 |
gentoo-user@g.o mailing list |
Archives