| 1 |
-----BEGIN PGP SIGNED MESSAGE----- |
| 2 |
Hash: SHA1 |
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
Pupeno wrote: |
| 7 |
|
| 8 |
>>I use the dm-crypt from the kernel.... |
| 9 |
> |
| 10 |
> I've read that it is unsecure and I also read that it is not yet vory well |
| 11 |
> suported. |
| 12 |
|
| 13 |
You read wrong. Dm-crypt *is* the encryption technique now used in the |
| 14 |
kernel, and it wasn't chosen out of a hat. What you do with it can make |
| 15 |
it insecure though, like a postit with the password attached to the |
| 16 |
monitor ;-) |
| 17 |
|
| 18 |
As for being supported, well if something is actually in the kernel |
| 19 |
itself (without patches), then it IS fully supported. Dm-crypt is fully |
| 20 |
supported since linux 2.6.4 |
| 21 |
|
| 22 |
Basically, as with any encryption, your secret is as safe as your |
| 23 |
password. There are of course tools to help you make your password even |
| 24 |
harder to crack, like hashalot, which basically sends your password |
| 25 |
though a pipe which hashes it into "greek" ;-) |
| 26 |
|
| 27 |
> I know I don't need a key, but I do want a key (stored in a remobable modia) |
| 28 |
> encripted with a passphrase I will be able to change, or best, my wife can |
| 29 |
> have the key protected with a different passphrase than I do. |
| 30 |
> Beyond that, encripting with a key is much better than doing that with a |
| 31 |
> passphrase because the passphrase can be cracked (dictionary attack) while |
| 32 |
> the key-encripted that can't. |
| 33 |
|
| 34 |
It seems what you are looking for with your "key" is probably a GPG key |
| 35 |
needed to unlock your drive. This is definitely possible, but you will |
| 36 |
have to do the research yourself. I do know there are tutorials to use |
| 37 |
gpg keys with encryption passsords etc... and iirc there was a tutorial |
| 38 |
for loop-AES too on their site. If you need this is another story. I |
| 39 |
know that gpg can have two separate kleys to do the same thing, so I |
| 40 |
presume separate keys and passwords are an option, but I have never |
| 41 |
ventured down that lane, as I'm not that paranoid. I use gpg myself for |
| 42 |
mailing, and encrypting certain files themselves, but I'm not paranoid |
| 43 |
enough to encrypt all my files with such heavy encryption. In fact, not |
| 44 |
even the US military is that bad. They now use 256bit AES encryption, |
| 45 |
which is the default of dm-crypt, and from an atricle I read it still |
| 46 |
would take them a couple of decades to crack. |
| 47 |
|
| 48 |
I use dm-crypt on all three of my machines (laptop, workstation and |
| 49 |
server), but none of them are fully encrypted ~ just partitions (and in |
| 50 |
one case a looped back file acting as partition). All are mounted with a |
| 51 |
simple #bash script I wrote to create the decrypted device link, ask to |
| 52 |
password, mount the device link to the filesystem. This means that none |
| 53 |
of this is found in /etc/fstab either. Users who are allowed to mount |
| 54 |
(use that script) are added into sudoers. |
| 55 |
|
| 56 |
Good luck ... |
| 57 |
Ralph |
| 58 |
-----BEGIN PGP SIGNATURE----- |
| 59 |
Version: GnuPG v1.4.0 (MingW32) |
| 60 |
|
| 61 |
iD8DBQFC6dctAWKxH5yWMT8RAttKAJ0Y+NErA8lbji5HwzG+tPWbvnbzRACfYD4t |
| 62 |
DuFFNkZcURq3r41wHxjVuBM= |
| 63 |
=slBW |
| 64 |
-----END PGP SIGNATURE----- |
| 65 |
|
| 66 |
-- |
| 67 |
gentoo-user@g.o mailing list |
Archives