| 1 |
On Friday 29 July 2005 04:13, Ralph Slooten wrote: |
| 2 |
> Pupeno wrote: |
| 3 |
> >>I use the dm-crypt from the kernel.... |
| 4 |
> > |
| 5 |
> > I've read that it is unsecure and I also read that it is not yet vory |
| 6 |
> > well suported. |
| 7 |
> |
| 8 |
> You read wrong. Dm-crypt *is* the encryption technique now used in the |
| 9 |
> kernel, and it wasn't chosen out of a hat. What you do with it can make |
| 10 |
> it insecure though, like a postit with the password attached to the |
| 11 |
> monitor ;-) |
| 12 |
> |
| 13 |
> As for being supported, well if something is actually in the kernel |
| 14 |
> itself (without patches), then it IS fully supported. Dm-crypt is fully |
| 15 |
> supported since linux 2.6.4 |
| 16 |
|
| 17 |
As I said in another message, what I read is that the userland tools weren't |
| 18 |
supporting dm-crypt propersy. Probably I've read something that was outdated. |
| 19 |
|
| 20 |
> Basically, as with any encryption, your secret is as safe as your |
| 21 |
> password. There are of course tools to help you make your password even |
| 22 |
> harder to crack, like hashalot, which basically sends your password |
| 23 |
> though a pipe which hashes it into "greek" ;-) |
| 24 |
> |
| 25 |
> > I know I don't need a key, but I do want a key (stored in a remobable |
| 26 |
> > modia) encripted with a passphrase I will be able to change, or best, my |
| 27 |
> > wife can have the key protected with a different passphrase than I do. |
| 28 |
> > Beyond that, encripting with a key is much better than doing that with a |
| 29 |
> > passphrase because the passphrase can be cracked (dictionary attack) |
| 30 |
> > while the key-encripted that can't. |
| 31 |
> |
| 32 |
> It seems what you are looking for with your "key" is probably a GPG key |
| 33 |
> needed to unlock your drive. This is definitely possible, but you will |
| 34 |
> have to do the research yourself. I do know there are tutorials to use |
| 35 |
> gpg keys with encryption passsords etc... and iirc there was a tutorial |
| 36 |
> for loop-AES too on their site. If you need this is another story. I |
| 37 |
> know that gpg can have two separate kleys to do the same thing, so I |
| 38 |
> presume separate keys and passwords are an option, but I have never |
| 39 |
> ventured down that lane, as I'm not that paranoid. I use gpg myself for |
| 40 |
> mailing, and encrypting certain files themselves, but I'm not paranoid |
| 41 |
> enough to encrypt all my files with such heavy encryption. In fact, not |
| 42 |
> even the US military is that bad. They now use 256bit AES encryption, |
| 43 |
> which is the default of dm-crypt, and from an atricle I read it still |
| 44 |
> would take them a couple of decades to crack. |
| 45 |
|
| 46 |
I didn't mean to use gpg to encrypt the whole file system, that would be |
| 47 |
insane. I mean that instead of using a password te encript, to use a |
| 48 |
generated key, which is stronger and to encrypt that key with a password (and |
| 49 |
keep it on a remobable media). |
| 50 |
But now that I think of it, I don't need that much security (Am I the only one |
| 51 |
that when reading about security gets paranoid ?). |
| 52 |
I'd like this: home to be encripted in a way that can be mounted thru fstab |
| 53 |
asking the passphrase at mount-time, with the posibility to change the |
| 54 |
password easily. I think that can be achieved by using a key and encripting |
| 55 |
the key on cryptoloop, or it is simpler on loop-AES, because the passphrase |
| 56 |
con be changed easily, right ? What about dm-crypt ? is the passphrase |
| 57 |
changeable ? |
| 58 |
|
| 59 |
Thanks. |
| 60 |
-- |
| 61 |
Pupeno <pupeno@××××××.com> (http://pupeno.com) |
| 62 |
Reading ? Science Fiction ? http://sfreaders.com.ar |
Archives