1 |
-----BEGIN PGP SIGNED MESSAGE----- |
2 |
Hash: SHA1 |
3 |
|
4 |
|
5 |
|
6 |
Pupeno wrote: |
7 |
|
8 |
>>I use the dm-crypt from the kernel.... |
9 |
> |
10 |
> I've read that it is unsecure and I also read that it is not yet vory well |
11 |
> suported. |
12 |
|
13 |
You read wrong. Dm-crypt *is* the encryption technique now used in the |
14 |
kernel, and it wasn't chosen out of a hat. What you do with it can make |
15 |
it insecure though, like a postit with the password attached to the |
16 |
monitor ;-) |
17 |
|
18 |
As for being supported, well if something is actually in the kernel |
19 |
itself (without patches), then it IS fully supported. Dm-crypt is fully |
20 |
supported since linux 2.6.4 |
21 |
|
22 |
Basically, as with any encryption, your secret is as safe as your |
23 |
password. There are of course tools to help you make your password even |
24 |
harder to crack, like hashalot, which basically sends your password |
25 |
though a pipe which hashes it into "greek" ;-) |
26 |
|
27 |
> I know I don't need a key, but I do want a key (stored in a remobable modia) |
28 |
> encripted with a passphrase I will be able to change, or best, my wife can |
29 |
> have the key protected with a different passphrase than I do. |
30 |
> Beyond that, encripting with a key is much better than doing that with a |
31 |
> passphrase because the passphrase can be cracked (dictionary attack) while |
32 |
> the key-encripted that can't. |
33 |
|
34 |
It seems what you are looking for with your "key" is probably a GPG key |
35 |
needed to unlock your drive. This is definitely possible, but you will |
36 |
have to do the research yourself. I do know there are tutorials to use |
37 |
gpg keys with encryption passsords etc... and iirc there was a tutorial |
38 |
for loop-AES too on their site. If you need this is another story. I |
39 |
know that gpg can have two separate kleys to do the same thing, so I |
40 |
presume separate keys and passwords are an option, but I have never |
41 |
ventured down that lane, as I'm not that paranoid. I use gpg myself for |
42 |
mailing, and encrypting certain files themselves, but I'm not paranoid |
43 |
enough to encrypt all my files with such heavy encryption. In fact, not |
44 |
even the US military is that bad. They now use 256bit AES encryption, |
45 |
which is the default of dm-crypt, and from an atricle I read it still |
46 |
would take them a couple of decades to crack. |
47 |
|
48 |
I use dm-crypt on all three of my machines (laptop, workstation and |
49 |
server), but none of them are fully encrypted ~ just partitions (and in |
50 |
one case a looped back file acting as partition). All are mounted with a |
51 |
simple #bash script I wrote to create the decrypted device link, ask to |
52 |
password, mount the device link to the filesystem. This means that none |
53 |
of this is found in /etc/fstab either. Users who are allowed to mount |
54 |
(use that script) are added into sudoers. |
55 |
|
56 |
Good luck ... |
57 |
Ralph |
58 |
-----BEGIN PGP SIGNATURE----- |
59 |
Version: GnuPG v1.4.0 (MingW32) |
60 |
|
61 |
iD8DBQFC6dctAWKxH5yWMT8RAttKAJ0Y+NErA8lbji5HwzG+tPWbvnbzRACfYD4t |
62 |
DuFFNkZcURq3r41wHxjVuBM= |
63 |
=slBW |
64 |
-----END PGP SIGNATURE----- |
65 |
|
66 |
-- |
67 |
gentoo-user@g.o mailing list |