1 |
Richard Fish schrieb: |
2 |
> Alexander Skwar wrote: |
3 |
> |
4 |
>>Richard Fish schrieb: |
5 |
>> |
6 |
>> |
7 |
>>>Pupeno wrote: |
8 |
>>> |
9 |
>>> |
10 |
>>> |
11 |
>>>>>I use the dm-crypt from the kernel.... |
12 |
>>>>> |
13 |
>>>>> |
14 |
>>>>> |
15 |
>>>>> |
16 |
>>>>I've read that it is unsecure and I also read that it is not yet vory well |
17 |
>>>>suported. |
18 |
>>>> |
19 |
>>>> |
20 |
>>>> |
21 |
>>>> |
22 |
>>>Dm-crypt is fairly well supported, since it is in the kernel, but I find |
23 |
>>>it to be harder to setup |
24 |
>>> |
25 |
>>> |
26 |
>> |
27 |
>>hard to setup? How? What's hard about it? |
28 |
>> |
29 |
>>You just encrypt the block device and create an fs on it. |
30 |
>> |
31 |
>>/sbin/lvcreate -nToBeEnc -L5g sys \ |
32 |
>> && echo 'sekret' | /bin/cryptsetup create Crypted /dev/sys/ToBeEnc \ |
33 |
>> && mkfs -t reiser4 /dev/mapper/Crypted \ |
34 |
>> && mount /dev/mapper/Crypted /some/where |
35 |
>> |
36 |
>>Obviously, the lvcreate and mkfs steps are just a one time step :) |
37 |
>> |
38 |
>> |
39 |
>> |
40 |
> |
41 |
> First, I did not say dm-crypt was "hard to setup". I said I find it |
42 |
> harder to be setup than loop-AES. |
43 |
|
44 |
Yes, you're right. But since dm-crypt is so easy to setup with |
45 |
cryptsetup, I can't imagine how much more easy you want to have |
46 |
it. |
47 |
|
48 |
> Have you used both loop-AES and dm-crypt? I have. |
49 |
|
50 |
No. dm-crypt is good enough for me. No need for something else. |
51 |
|
52 |
Is it possible to encrypt the complete block device with loop-AES? |
53 |
Or does it only encrypt a file that's afterwards loop mounted? |
54 |
|
55 |
> If you want to know what, specifically, I find more difficult about |
56 |
> cryptsetup, it is the documentation. |
57 |
|
58 |
Well. |
59 |
|
60 |
> The grand sum of documentation |
61 |
> available for dm-crypt/cryptsetup after doing an 'emerge cryptsetup' is |
62 |
> "cryptsetup --help". |
63 |
|
64 |
Well. I didn't need more. |
65 |
|
66 |
> And yes, I know there are better guides online, but it is not always |
67 |
> possible to go online. |
68 |
|
69 |
Well. Download the stuff and print it, or something. For me, it's |
70 |
always possible to go online. |
71 |
|
72 |
> Also, I wanted to be able to change my password. With loop-AES, this is |
73 |
> a simple matter of re-encrypting my key file with a new password. |
74 |
> cryptsetup makes this more difficult. Not impossible, just more difficult. |
75 |
|
76 |
Well, no. It IS impossible. You need to create a new crypted device. |
77 |
|
78 |
> <advice> |
79 |
> Also, echoing your password on a command line to cryptsetup is an |
80 |
> extremely bad idea. If an attacker happens to be on your system at that |
81 |
> moment, a simple 'ps' will show them your passphrase. |
82 |
|
83 |
How? |
84 |
|
85 |
/bin/crypsetup < file-with-passphrase |
86 |
|
87 |
Where does the attacker see the passphrase? |
88 |
|
89 |
Oh. You took my example way too literally. *echo*ing the password |
90 |
is an extremely bad idea. You're of course right. But in reality |
91 |
I of course don't do that. Further, I said, that the password can |
92 |
be piped to cryptsetup. |
93 |
|
94 |
Alexander Skwar |
95 |
-- |
96 |
Paul: Good way to avoid frostbite, folks, put your hands between |
97 |
your buttocks. That's nature's pocket. |
98 |
-- |
99 |
gentoo-user@g.o mailing list |