| 1 |
On Sat, Jun 6, 2020 at 3:49 AM Dale <rdalek1967@×××××.com> wrote: |
| 2 |
> |
| 3 |
> Thanks for both replies. I found one other Gentoo one but it was encrypting the whole thing, /boot and all, plus they used efi. I didn't find the one you linked too. |
| 4 |
|
| 5 |
The Gentoo guide that was linked uses an example of encrypting a partition. |
| 6 |
|
| 7 |
This is just block device layering though. You can probably stack |
| 8 |
them anyway you want as long as the various services/etc are set up to |
| 9 |
load in the right order. You could encrypt the disk and stick LVM on |
| 10 |
it. Or you could stick LVM on the disk and use LUKS on the logical |
| 11 |
volumes inside. |
| 12 |
|
| 13 |
Usually you want the encryption as close to the disk as possible |
| 14 |
because if somebody gets your disk it gives them less to work with. |
| 15 |
They don't know that you have a logical volume called "home" on it, |
| 16 |
and so on. |
| 17 |
|
| 18 |
Some more recent filesystems have encryption built into them, like |
| 19 |
zfs/etc (well, the most recent version). There can be benefits to |
| 20 |
doing it this way as the filesystem might be better able to cope with |
| 21 |
data corruption if there is some problem later. |
| 22 |
|
| 23 |
However, you can always stick dm-crypt/LUKS/etc on a physical disk and |
| 24 |
then just treat the resulting block device as if it were your disk. |
| 25 |
dm-crypt itself has very little overhead. |
| 26 |
|
| 27 |
As you pointed out, the main thing you do have to be careful about is |
| 28 |
/boot. As long as you're using an appropriate initramfs you can do |
| 29 |
just about anything else after that, but your firmware isn't going to |
| 30 |
go prompting for your LUKS password/etc. |
| 31 |
|
| 32 |
I should mention it for completeness, but I don't recommend this: you |
| 33 |
can also use ATA security with a password that unlocks the hard drive. |
| 34 |
In theory the drive should be encrypting its data when security is in |
| 35 |
use, and it makes the drive inaccessible without the password. The |
| 36 |
problem is that this is generally not audited by anybody and you have |
| 37 |
no way of knowing what the drive is doing or whether it is a secure |
| 38 |
implementation. But, I mention it for completeness, because it can be |
| 39 |
done on Linux. |
| 40 |
|
| 41 |
-- |
| 42 |
Rich |
Archives