| 1 |
Am 04.09.2012 20:27, schrieb Michael Mol: |
| 2 |
> On Tue, Sep 4, 2012 at 2:18 PM, Florian Philipp <lists@×××××××××××.net> wrote: |
| 3 |
>> Am 04.09.2012 19:37, schrieb Hinnerk van Bruinehsen: |
| 4 |
>>> On 04.09.2012 15:48, "Roland Häder" wrote: |
| 5 |
>>>> I think I made a (tollerateable) mistake: |
| 6 |
>>> |
| 7 |
>>>> My hard drive has two partitions: - sda1 - encrypted swap - sda2 - |
| 8 |
>>>> encrypted root |
| 9 |
>>> |
| 10 |
>>>> How should it boot? One way could be by external media (e.g. |
| 11 |
>>>> stick), other is from hard drive. But that is encrypted. So I must |
| 12 |
>>>> leave a small area left for kernel, initrd, System.map and maybe |
| 13 |
>>>> config. |
| 14 |
>>> |
| 15 |
>>>> So the page at [1] is a little wrong because it misses the boot |
| 16 |
>>>> partition, so the new layout should be: - sda1 - unencrypted boot |
| 17 |
>>>> (/boot) partition - sda2 - encrypted swap (at least as double as |
| 18 |
>>>> your RAM) (crypt-swap) - sda3 - encrypted root (crypt-root) |
| 19 |
>>> |
| 20 |
>>>> Can someone update this? |
| 21 |
>>> |
| 22 |
>>>> Regards, Roland |
| 23 |
>>> |
| 24 |
>>>> [1]: http://wiki.gentoo.org/wiki/DM-Crypt |
| 25 |
>>> |
| 26 |
>>> |
| 27 |
>>> In theory grub2 is able to open a luks-encrypted volume though it |
| 28 |
>>> seems to have some disadvantages: you'll need to enter the passphrase |
| 29 |
>>> (or pass the keyfile) two times, because grub itself needs to decrypt |
| 30 |
>>> the volume to get the later stages from the encrypted volume and |
| 31 |
>>> afterwards the decryption in the bootprocess itself takes place. |
| 32 |
>>> |
| 33 |
>>> I can't give any real advice about it though, because I use an |
| 34 |
>>> unencrypted boot partition. Depending on your needs it could be an |
| 35 |
>>> increase of security, because you can stop an attacker from injecting |
| 36 |
>>> malicious code into your kernel (or replace it completely). |
| 37 |
>>> |
| 38 |
>>> WKR |
| 39 |
>>> Hinnerk |
| 40 |
>> |
| 41 |
>> |
| 42 |
>> For personal use, I see no point in using an encrypted boot partition. |
| 43 |
>> An attacker needs physical or root access to change the kernel or initrd |
| 44 |
>> in order to get to your encrypted data. In both cases, you are hosed |
| 45 |
>> anyway (keyloggers, etc.). |
| 46 |
> |
| 47 |
> Now you've got me pondering cryptographically-verified input devices. |
| 48 |
> But perhaps a paired USB key fob with a challenge/response setup would |
| 49 |
> be reasonable. |
| 50 |
> |
| 51 |
> |
| 52 |
|
| 53 |
Don't forget to look for hidden cameras or telescopes pointed at nearby |
| 54 |
windows. You also have to worry about the characteristic electromagnetic |
| 55 |
interference caused by your input devices (you don't need to wear a |
| 56 |
tinfoil hat but maybe your keyboard should ;-) ). |
| 57 |
|
| 58 |
Once you start to worry, there is no end. |
| 59 |
|
| 60 |
This seems to be of interest: |
| 61 |
http://news.cnet.com/8301-10784_3-9741357-7.html |
| 62 |
|
| 63 |
But this should not be forgotten, either: |
| 64 |
http://xkcd.com/538/ |
| 65 |
|
| 66 |
Regards, |
| 67 |
Florian Philipp |
Archives