Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-user

From: Daniel Troeder <daniel@×××××××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure.
Date: Mon, 10 May 2010 16:49:45
Message-Id: 4BE838DB.6080104@admin-box.com
In Reply to: Re: [gentoo-user] Re: Kernel upgrade and now LUKS failure. by "Stefan G. Weichinger"
1 On 05/07/2010 11:14 PM, Stefan G. Weichinger wrote:
2 > Am 07.05.2010 16:24, schrieb Stefan G. Weichinger:
3 >> Am 07.05.2010 10:53, schrieb Stefan G. Weichinger:
4 >>
5 >>> I think I am gonna file a bug for this now.
6 >>
7 >> http://bugs.gentoo.org/show_bug.cgi?id=318865
8 >
9 > Aside from the potential bug:
10 >
11 > As I store the "verysekrit.key" on the same hdd as the encrypted
12 > device and use the rather simple shadowed password to decrypt that
13 > key ... isn't that just plain stupid?
14 >
15 > The overall security is just as good as my password. Cracking it with
16 > john opens the key to decrypting the LUKS-volume ...
17 >
18 > Yes, if I would store the key on another volume (stick or something)
19 > as mentioned in that howto it would make sense but in my case ...
20 >
21 > *scratches head* ;-)
22 >
23 > Stefan
24 I prefer to encrypt my entire harddisk. Well - a hugh partition (excl.
25 only Windows and Solaris :) which I encrypt, then the decrypted
26 partition is used as a PV for LVM and all OS and partitions an in LVs.
27 This way I have to type in the password to decrypt the PV once, and all
28 LVs are decrypted. Then I have to use a second PW to login of course. As
29 all Linux destros support encrypted roots and LVM nowadays I have
30 Gentoo, Fedora and Ubuntu all in the same VG. The speed disadvantage is
31 small, as my CPU+RAM is so much faster than the HDD. But in terms of
32 security it's better to have everything encrypted, because it makes it
33 more difficult to manipulate your system to get the key (the kernel is
34 still unencrypted), and no possibly private information can be obtained
35 from /tmp and /var. I compile all needed modules into the kernel, so I
36 don't need to recreate my initrd for every new kernel.
37
38 Bye,
39 Daniel
40
41 --
42 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
43 # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups